0% found this document useful (0 votes)

367 views21 pages

NIST CSF Auditor Checklist Guide

The document is a checklist assessing an organization's compliance with the NIST Cybersecurity Framework. It contains categories and subcategories covering functions related to identifying, protecting, detecting, responding to, and recovering from cybersecurity events. Based on the information provided, the organization is partially compliant, with "no" reported for several key requirements related to asset management, governance, risk management, and supply chain security.

Uploaded by

Ulysse User

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

367 views21 pages

NIST CSF Auditor Checklist Guide

Uploaded by

Ulysse User

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 21

NIST CSF Auditor Checklist

Function Category
IDENTIFY (ID) Asset Management (ID.AM): The data,
personnel, devices, systems, and
facilities that enable the organization to
achieve business purposes are identified
and managed consistent with their
relative importance to organizational
objectives and the organization's risk
strategy.

Business Environment (ID.BE): The

organization's mission, objectives,
stakeholders, and activities are
understood and prioritized; this
information is used to inform
cybersecurity roles, responsibilities, and
risk management decisions.

Governance (ID.GV): The policies,

procedures, and processes to manage
and monitor the organization's
regulatory, legal, risk, environmental,
and operational requirements are
understood and inform the management
of cybersecurity risk.
of cybersecurity risk.

Risk Assessment (ID.RA): The

organization understands the
cybersecurity risk to organizational
operations (including mission, functions,
image, or reputation), organizational
assets, and individuals.

Risk Management Strategy (ID.RM): The

organization's priorities, constraints, risk
tolerances, and assumptions are
established and used to support
operational risk decisions.

Supply Chain Risk Management(ID.SC):

The organization's priorities, constraints,
risk tolerances, and assumptions are
established and used to support risk
decisions associated with managing
supply chain risk.The organization has
established and implemented the
processes to identify, assess and manage
supply chain risks.
PROTECT (PR) Identity Management, Authentication
and Access Control (PR.AC): Access to
physical and logical assets and
associated facilities is limited to
authorized users, processes, and devices,
and is managed consistent with the
assessed risk of unauthorized access to
authorized activities and transactions.

Awareness and Training (PR.AT): The

organization's personnel and partners
are provided cybersecurity awareness
education and are trained to perform
their cybersecurity-related duties and
responsibilities consistent with related
policies, procedures, and agreements.

Data Security (PR.DS): Information and

records (data) are managed consistent
with the organization's risk strategy to
protect the confidentiality, integrity, and
availability of information.
Information Protection Processes and
Procedures (PR.IP): Security policies
(that address purpose, scope, roles,
responsibilities, management
commitment, and coordination among
organizational entities), processes, and
procedures are maintained and used to
manage protection of information
systems and assets.

Maintenance (PR.MA): Maintenance

and repairs of industrial control and
information system components are
performed consistent with policies and
procedures.
Maintenance (PR.MA): Maintenance
and repairs of industrial control and
information system components are
performed consistent with policies and
procedures.

Protective Technology (PR.PT): Technical

security solutions are managed to ensure
the security and resilience of systems
and assets, consistent with related
policies, procedures, and agreements.

DETECT (DE) Anomalies and Events (DE.AE):

Anomalous activity is detected and the
potential impact of events is understood.

Security Continuous Monitoring

(DE.CM): The information system and
assets are monitored to identify
cybersecurity events and verify the
effectiveness of protective measures.
Detection Processes (DE.DP): Detection
processes and procedures are
maintained and tested to ensure
awareness of anomalous events.

RESPOND (RS) Response Planning (RS.RP): Response

processes and procedures are executed
and maintained, to ensure response to
Communications (RS.CO): Response
activities are coordinated with internal
and external stakeholders (e.g. external
support from law enforcement
agencies).

Analysis (RS.AN): Analysis is conducted

to ensure effective response and support
recovery activities.

Mitigation (RS.MI): Activities are

performed to prevent expansion of an
event, mitigate its effects, and resolve
the incident.
Improvements (RS.IM): Organizational
response activities are improved by
incorporating lessons learned from
current and previous detection/response
activities.
RECOVER (RC) Recovery Planning (RC.RP): Recovery
processes and procedures are executed
and maintained to ensure restoration of
Improvements (RC.IM): Recovery
planning and processes are improved by
incorporating lessons learned into future
activities.

Communications (RC.CO): Restoration

activities are coordinated with internal
and external parties (e.g. coordinating
centers, Internet Service Providers,
owners of attacking systems, victims,
other CSIRTs, and vendors).
Subcategory In Compliance
ID.AM-1: Physical devices and systems within Yes
the organization are inventoried
ID.AM-2: Software platforms and applications Yes
within the organization are inventoried

ID.AM-3: Organizational communication and No

data flows are mapped
ID.AM-4: External information systems are Yes
catalogued
ID.AM-5: Resources (e.g., hardware, devices, Yes
data, time, personnel, and software) are
prioritized based on their classification,
criticality, and business value

ID.AM-6: Cybersecurity roles and No

responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers,
customers, partners) are established

ID.BE-1: The organization's role in the supply No

chain is identified and communicated
ID.BE-2: The organization's place in critical No
infrastructure and its industry sector is
identified and communicated
ID.BE-3: Priorities for organizational mission, No
objectives, and activities are established and
communicated
ID.BE-4: Dependencies and critical functions No
for delivery of critical services are established

ID.BE-5: Resilience requirements to support No

delivery of critical services are established for
all operating states (e.g. under duress/attack,
during recovery, normal operations)

ID.GV-1: Organizational cybersecurity policy is No

established and communicated
ID.GV-2: Cybersecurity roles and No
responsibilities are coordinated and aligned
with internal roles and external partners
ID.GV-3: Legal and regulatory requirements No
regarding cybersecurity, including privacy and
civil liberties obligations, are understood and
managed
ID.GV-4: Governance and risk management Yes
processes address cybersecurity risks
ID.RA-1: Asset vulnerabilities are identified Yes w/CC
and documented
ID.RA-2: Cyber threat intelligence is received Yes
from information sharing forums and sources

ID.RA-3: Threats, both internal and external, Yes

are identified and documented

ID.RA-4: Potential business impacts and Yes

likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, Yes
and impacts are used to determine risk
ID.RA-6: Risk responses are identified and Yes
prioritized
ID.RM-1: Risk management processes are No
established, managed, and agreed to by
organizational stakeholders
ID.RM-2: Organizational risk tolerance is No
determined and clearly expressed
ID.RM-3: The organization's determination of No
risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis

ID.SC-1: Cyber supply chain risk management No

processes are identified, established,
assessed, managed, and agreed to by
organizational stakeholders

ID.SC-2: Suppliers and third party partners of Yes

information systems, components, and
services are identified, prioritized, and
assessed using a cyber supply chain risk
assessment process

ID.SC-3: Contracts with suppliers and third- No

party partners are used to implement
appropriate measures designed to meet the
objectives of an organization's cybersecurity
program and Cyber Supply Chain Risk
Management Plan.

ID.SC-4: Suppliers and third-party partners are No

routinely assessed using audits, test results, or
other forms of evaluations to confirm they are
meeting their contractual obligations.
ID.SC-5: Response and recovery planning and No
testing are conducted with suppliers and
third-party providers
PR.AC-1: Identities and credentials are issued, No
managed, verified, revoked, and audited for
authorized devices, users and processes

PR.AC-2: Physical access to assets is managed No

and protected
PR.AC-3: Remote access is managed No

PR.AC-4: Access permissions and Yes

authorizations are managed, incorporating the
principles of least privilege and separation of
duties

PR.AC-5: Network integrity is protected (e.g., No

network segregation, network segmentation)

PR.AC-6: Identities are proofed and bound to No

credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are Yes
authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction
(e.g., individuals' security and privacy risks and
other organizational risks)

PR.AT-1: All users are informed and trained No

PR.AT-2: Privileged users understand their No

roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., No
suppliers, customers, partners) understand
their roles and responsibilities
PR.AT-4: Senior executives understand their No
roles and responsibilities
PR.AT-5: Physical and cybersecurity personnel No
understand their roles and responsibilities

PR.DS-1: Data-at-rest is protected No

PR.DS-2: Data-in-transit is protected No

PR.DS-3: Assets are formally managed No

throughout removal, transfers, and disposition

PR.DS-4: Adequate capacity to ensure No

availability is maintained
PR.DS-5: Protections against data leaks are No
implemented
PR.DS-6: Integrity checking mechanisms are No
used to verify software, firmware, and
information integrity
PR.DS-7: The development and testing No
environment(s) are separate from the
production environment
PR.DS-8: Integrity checking mechanisms are No
used to verify hardware integrity
PR.IP-1: A baseline configuration of No
information technology/industrial control
systems is created and maintained
incorporating security principles (e.g. concept
of least functionality)

PR.IP-2: A System Development Life Cycle to No

manage systems is implemented
PR.IP-3: Configuration change control No
processes are in place
PR.IP-4: Backups of information are No
conducted, maintained, and tested
PR.IP-5: Policy and regulations regarding the No
physical operating environment for
organizational assets are met
PR.IP-6: Data is destroyed according to policy No

PR.IP-7: Protection processes are improved No

PR.IP-8: Effectiveness of protection No

technologies is shared
PR.IP-9: Response plans (Incident Response No
and Business Continuity) and recovery plans
(Incident Recovery and Disaster Recovery) are
in place and managed

PR.IP-10: Response and recovery plans are No

tested
PR.IP-11: Cybersecurity is included in human No
resources practices (e.g., deprovisioning,
personnel screening)
PR.IP-12: A vulnerability management plan is No
developed and implemented
PR.MA-1: Maintenance and repair of No
organizational assets are performed and
logged, with approved and controlled tools
PR.MA-2: Remote maintenance of No
organizational assets is approved, logged, and
performed in a manner that prevents
unauthorized access

PR.PT-1: Audit/log records are determined, No

documented, implemented, and reviewed in
accordance with policy
PR.PT-2: Removable media is protected and No
its use restricted according to policy
PR.PT-3: The principle of least functionality is No
incorporated by configuring systems to
provide only essential capabilities
PR.PT-4: Communications and control No
networks are protected
PR.PT-5: Mechanisms (e.g., failsafe, load No
balancing, hot swap) are implemented to
achieve resilience requirements in normal and
adverse situations

DE.AE-1: A baseline of network operations Yes

and expected data flows for users and
systems is established and managed
DE.AE-2: Detected events are analyzed to No
understand attack targets and methods
DE.AE-3: Event data are collected and No
correlated from multiple sources and sensors

DE.AE-4: Impact of events is determined No

DE.AE-5: Incident alert thresholds are No

established
DE.CM-1: The network is monitored to detect Yes
potential cybersecurity events
DE.CM-2: The physical environment is Yes
monitored to detect potential cybersecurity
events
DE.CM-3: Personnel activity is monitored to Yes
detect potential cybersecurity events
DE.CM-4: Malicious code is detected No

DE.CM-5: Unauthorized mobile code is Yes

detected
DE.CM-6: External service provider activity is Yes
monitored to detect potential cybersecurity
events
DE.CM-7: Monitoring for unauthorized Yes
personnel, connections, devices, and software
is performed
DE.CM-8: Vulnerability scans are performed Yes

DE.DP-1: Roles and responsibilities for No

detection are well defined to ensure
accountability
DE.DP-2: Detection activities comply with all No
applicable requirements
DE.DP-3: Detection processes are tested Yes

DE.DP-4: Event detection information is No

communicated
DE.DP-5: Detection processes are No
continuously improved
RS.RP-1: Response plan is executed during or No
after an incident
RS.CO-1: Personnel know their roles and order No
of operations when a response is needed

RS.CO-2: Incidents are reported consistent No

with established criteria
RS.CO-3: Information is shared consistent with No
response plans
RS.CO-4: Coordination with stakeholders No
occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs No
with external stakeholders to achieve broader
cybersecurity situational awareness
RS.AN-1: Notifications from detection systems No
are investigated
RS.AN-2: The impact of the incident is Yes
understood
RS.AN-3: Forensics are performed No

RS.AN-4: Incidents are categorized consistent Yes

with response plans
RS.AN-5: Processes are established to receive, No
analyze and respond to vulnerabilities
disclosed to the organization from internal
and external sources (e.g. internal testing,
security bulletins, or security researchers)

RS.MI-1: Incidents are contained No

RS.MI-2: Incidents are mitigated Yes

RS.MI-3: Newly identified vulnerabilities are No

mitigated or documented as accepted risks
RS.IM-1: Response plans incorporate lessons No
learned
RS.IM-2: Response strategies are updated No

RC.RP-1: Recovery plan is executed during or Yes

after a cybersecurity incident
RC.IM-1: Recovery plans incorporate lessons No
learned
RC.IM-2: Recovery strategies are updated No

RC.CO-1: Public relations are managed Yes

RC.CO-2: Reputation is repaired after an No

incident
RC.CO-3: Recovery activities are No
communicated to internal and external
stakeholders as well as executive and
management teams
References Issues
Evidence of Compliance, Asset Inventory Worksheet

Evidence of Compliance, Application Inventory

Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet
Evidence of Compliance, External Information System
Worksheet
Evidence of Compliance, Policies and Procedures

Evidence of Compliance, Policies and Procedures See Risk Treatment Plan.

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet
Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.
Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet
Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.
Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet
Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan and Compensating Control
Worksheet Worksheet.
Evidence of Compliance, NIST CSF - Identify
Worksheet

Risk Analysis, Risk Treatment Plan, External

Vulnerability Scan Detail by Issue Report, Windows
Patch Summary, Full Detail Excel Export
Risk Analysis, Risk Treatment Plan

Risk Analysis, Risk Treatment Plan

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet
Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.
Worksheet

Evidence of Compliance, NIST CSF - Identify See Risk Treatment Plan.

Worksheet

Evidence of Compliance, NIST CSF - Identify

Worksheet