Appendix A List of Acronyms¶
BYOD |
Bring Your Own Device |
COBIT |
Control Objectives for Information and Related Technologies |
CIA |
Confidentiality Integrity Availability |
CIS |
Center for Internet Security |
CNSSI |
Committee on National Security Systems Instruction |
CRADA |
Cooperative Research And Development Agreement |
CSC |
Critical Security Controls |
CSF |
Cybersecurity Framework |
FIPS |
Federal Information Processing Standard |
HTTPS |
Hypertext Transfer Protocol Secure |
IEC |
International Electrotechnical Commission |
IP |
Internet Protocol |
ISA |
International Society of Automation |
ISO |
International Organization for Standardization |
IT |
Information Technology |
ITL |
Information Technology Laboratory |
MAC |
Media Access Control |
MFA |
Multi Factor Authentication |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
NIST IR |
NIST Interagency or Internal Report |
PII |
Personally Identifiable Information |
PRAM |
Privacy Risk Assessment Methodology |
RDP |
Remote Desktop Protocol |
RMF |
Risk Management Framework |
SMS |
Short Messaging Service |
SP |
Special Publication |
URL |
Uniform Resource Location |
USB |
Universal Series Bus |
VDI |
Virtual Desktop Interface |
Appendix B Glossary¶
Access Control |
The process of granting or denying specific requests to 1) obtain and use information and related information processing services and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). SOURCE: Federal Information Processing Standard (FIPS) 201-3 |
Adversary |
Person, group, organization, or government that conducts or has the intent to conduct detrimental activities. SOURCE: CNSSI 4009-2015 |
Asset |
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems. SOURCE: Committee on National Security Systems Instruction (CNSSI) 4009-2015 |
Authentication |
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. SOURCE: FIPS 200 |
Authorization |
Access privileges granted to a user, program, or process or the act of granting those privileges. SOURCE: CNSSI 4009-2015 |
Backup |
A copy of files and programs made to facilitate recovery if necessary. SOURCE: NIST SP 800-34 Rev. 1 |
Breach |
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose. SOURCE: NIST SP 800-53 Rev. 5 |
Control |
The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. SOURCE: NIST SP 800-160 Vol. 2 Rev. 1 |
Confidentiality |
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. SOURCE: FIPS 200 |
Data |
A subset of information in an electronic format that allows it to be retrieved or transmitted. SOURCE: CNSSI 4008-2015 |
Data Action |
A system/product/service data life cycle operation, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal. SOURCE: NIST Privacy Framework Version 1. |
Disassociability |
Enabling the processing of PII or events without association to individuals or devices beyond the operational requirements of the system. SOURCE: NISTIR 8062 |
Encrypt |
Cryptographically transform data to produce cipher text. SOURCE: CNSSI 4009-2015 |
Enterprise |
An entity of any size, complexity, or positioning within an organizational structure. SOURCE: NIST SP 800-72 |
Event |
Any observable occurrence in a network or system. SOURCE: CNSSI 4009-2015 |
Exfiltration |
The unauthorized transfer of information from an information system. SOURCE: CNSSI 4009-2015 |
Incident |
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. SOURCE: FIPS 200 |
Integrity |
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. SOURCE: FIPS 200 |
Malware |
Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose. SOURCE: CNSSI 4009-2015 |
Manageability |
Providing the capability for granular administration of PII including alteration, deletion, and selective disclosure. SOURCE: NISTIR 8062 |
Mitigation |
A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities. SOURCE: NIST SP 1800-160 Vol. 2 Rev. 1 |
Phishing |
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person. SOURCE: CNSSI 4009-2015 |
Predictability |
Enabling reliable assumptions by individuals, owners, and operators about PII and its processing by a system. SOURCE: NISTIR 8062 |
Privacy |
A condition that safeguards human dignity and autonomy by means of methods that achieve predictability, manageability, and disassociability |
Risk |
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. SOURCE: FIPS 200 |
Security Control |
The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information. SOURCE: NIST SP 800-53 |
Security Policy |
A set of rules that governs all aspects of security-relevant system and system component behavior. SOURCE: NIST SP 800-53 Rev. 5 |
Spear Phishing |
A colloquial term that can be used to describe any highly targeted phishing attack. SOURCE: CNSSI 4009-2015 |
Threat |
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. SOURCE: NIST SP 800-53 Rev. 5 |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. SOURCE: FIPS 200 |
Appendix C References¶
W. Barker, Guideline for Identifying an Information System as a National Security System, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-59, Gaithersburg, Md., Aug. 2003, 17 pp. Available: https://doi.org/10.6028/NIST.SP.800-59.
T. McBride et. al, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-25, Gaithersburg, Md., Dec. 2020, 488 pp. Available: https://doi.org/10.6028/NIST.SP.1800-25.
T. McBride et. al, Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events, National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-26, Gaithersburg, Md., Dec. 2020, 441 pp. Available: https://doi.org/10.6028/NIST.SP.1800-26.
T. McBride et. al, Data Integrity: Recovering from Ransomware and Other Destructive Events, National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-11, Gaithersburg, Md., Sep. 2020, 377 pp. Available: https://doi.org/10.6028/NIST.SP.1800-11.
M. Souppaya and K. Scarfone, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-83 Revision 1, Gaithersburg, Md., July 2013, 36 pp. Available: https://doi.org/10.6028/NIST.SP.800-83r1.
M. Souppaya and K. Scarfone, Guide to Enterprise Telework, Remote Access, and Bring Your Own Devise (BYOD) Security, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-46 Revision 2, Gaithersburg, Md., July 2016, 43 pp. Available: https://doi.org/10.6028/NIST.SP.800-46r2.
M. Bartok et. al, Guide for Cybersecurity Event Recovery, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-184, Gaithersburg, Md., Dec. 2016, 45 pp. Available: https://doi.org/10.6028/NIST.SP.800-184.
NIST. Privacy Framework. Available: https://www.nist.gov/privacy-framework.
NIST. Cybersecurity Framework. Available: http://www.nist.gov/cyberframework.
W. Barker et. al, Ransomware Risk Management: A Cybersecurity Framework Profile, NIST Interagency Report 8374, Gaithersburg, Md., Feb. 2022, 23 pp. Available: https://doi.org/10.6028/NIST.IR.8374.
S. Brooks et. al, An Introduction to Privacy Engineering and Risk Management in Federal Systems, NIST Interagency Report 8062, Gaithersburg, Md., Jan. 2017, 41 pp. Available: https://doi.org/10.6028/NIST.IR.8062.
Joint Task Force, Risk Management Framework for Information Systems and Organizations, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Revision 2, Gaithersburg, Md., Dec. 2018, 164 pp. Available: https://doi.org/10.6028/NIST.SP.800-37r2.
NIST. Risk Management Framework. Available: https://csrc.nist.gov/projects/risk-management/about-rmf.
Joint Task Force Transformation Initiative, Guide for Conducting Risk Assessments, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Revision 1, Gaithersburg, Md., Sep. 2012, 83 pp. Available: https://doi.org/10.6028/NIST.SP.800-30r1.
NIST. Privacy Risk Assessment Methodology. Available: https://www.nist.gov/privacy-framework/nist-pram.
NIST. Catalog of Problematic Data Actions and Problems. Available: https://github.com/usnistgov/PrivacyEngCollabSpace/blob/master/tools/risk-assessment/NIST-Privacy-Risk-Assessment-Methodology-PRAM/catalog-PDAP.md.
NIST. Privacy Framework Resource Repository. Available: https://www.nist.gov/privacy-framework/resource-repository.
Appendix D Security Control Map¶
The following table lists the NIST Cybersecurity Framework Functions, Categories, and Subcategories addressed by this project and maps them to relevant NIST standards, industry standards, and controls and best practices.
Table 6‑1 Security Control Map
Cybersecurity Framework v1.1 |
Standards & Best Practices |
||
---|---|---|---|
Function |
Category |
Subcategory |
Informative References |
DETECT (DE) |
Anomalies and Events (DE.AE) |
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed |
CIS CSC 1, 4, 6, 12, 13, 15, 16 COBIT 5 DSS03.01 ISA 62443-2-1:2009 4.4.3.3 ISO/IEC 27001: 2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2 NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4 |
DE.AE-2: Detected events are analyzed to understand attack targets and methods |
CIS CSC 3, 6, 13, 15 COBIT 5 DSS05.07 ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4 NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4 |
||
DE.AE-3: Event data are collected and correlated from multiple sources and sensors |
CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16 COBIT 5 BAI08.02 ISA 62443-3-3:2013 SR 6.1 ISO/IEC 27001:2013 A.12.4.1, A.16.1.7 NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4 |
||
DE.AE-4: Impact of events is determined |
CIS CSC 4, 6 COBIT 5 APO12.06, DSS03.01 ISO/IEC 27001:2013 A.16.1.4 NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI-4 |
||
Security Continuous Monitoring (DE.CM) |
DE.CM-1: The network is monitored to detect potential cybersecurity events |
CIS CSC 1, 7, 8, 12, 13, 15, 16 COBIT 5 DSS01.03, DSS03.05, DSS05.07 ISA 62443-3-3:2013 SR 6.2 NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM3, SC-5, SC-7, SI-4 |
|
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events |
CIS CSC 5, 7, 14, 16 COBIT 5 DSS05.07 ISA 62443-3-3:2013 SR 6.2 ISO/IEC 27001:2013 A.12.4.1, A.12.4.3 NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11 |
||
DE.CM-4: Malicious code is detected |
CIS CSC 4, 7, 8, 12 COBIT 5 DSS05.01 ISA 62443-2-1:2009 4.3.4.3.8 ISA 62443-3-3:2013 SR 3.2 ISO/IEC 27001:2013 A.12.2.1 NIST SP 800-53 Rev. 4 SI-3, SI-8 |
||
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed |
CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16 COBIT 5 DSS05.02, DSS05.05 ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1 NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4 |
||
RESPOND (RS) |
Communications (RS.CO) |
RS.CO-2: Incidents are reported consistent with established criteria |
CIS CSC 19 COBIT 5 DSS01.03 ISA 62443-2-1:2009 4.3.4.5.5 ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 |
Analysis (RS.AN) |
RS.AN-3: Forensics are performed |
COBIT 5 APO12.06, DSS03.02, DSS05.07 ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1 ISO/IEC 27001:2013 A.16.1.7 NIST SP 800-53 Rev. 4 AU-7, IR-4 |
|
Mitigation (RS.MI) |
RS.MI-2: Incidents are mitigated |
CIS CSC 4, 19 COBIT 5 APO12.06 ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 NIST SP 800-53 Rev. 4 IR-4 |
|
RECOVER (RC) |
Recover (RC.RP) |
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident |
CIS CSC 10 COBIT 5 APO12.06, DSS02.05, DSS03.04 ISO/IEC 27001:2013 A.16.1.5 NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8 |
Appendix E Privacy Control Map¶
The following table lists the NIST Privacy Framework Functions, Categories and Subcategories addressed by this project and maps them to relevant NIST standards, industry standards, and controls and best practices.
NOTE: The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard 27701 references were not mapped by NIST, but by an external organization. They are available at the NIST Privacy Framework Repository [B17] and provided here for convenience. The Fair Information Privacy Principles (FIPPS) references are provided to aid understanding of the Privacy Control Map.
Table 6‑2 Privacy Control Map
Privacy Framework 1.0 |
Standards and Best Practices |
|||
---|---|---|---|---|
Function |
Category |
Subcategory |
Informative Refences |
|
CONTROL-P (CT-P) Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
Data Processing Management (CT.DM-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
CT.DM-P8: Audit/log records are determined, documented, and reviewed in accordance with policy and incorporating the principle of data minimization. |
FIPPS 4: Minimization NIST SP 800-53 Rev. 5: AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16 NIST IR 8062 ISO/IEC 27701:2019 6.9.4.1, 6.9.4.2, 6.15.1.3 |
|
PROTECT-P (PR-P): Develop and Implement appropriate data processing safeguards. |
Identity Management, Authentication, and Access Control (PR.AC-P): Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. |
PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. |
FIPPS 8: Security NIST SP 800-53 Rev. 5: IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12 NIST SP 800-63-3 ISO/IEC 27701:2019 6.6.2.1, 6.6.2.2, 6.6.4.2 |
|
PR.AC-P3: Remote access is managed. |
FIPPS 8: Security FIPS Publication 199 NIST SP 800-46 Rev. 2 NIST SP 800-53 Rev. 5: AC-1, AC-17, AC-19, AC-20, SC-15 NIST SP 800-77 NIST SP 800-113 NIST SP 800-114 Rev. 1 NIST SP 800-121 Rev. 2 ISO/IEC 27701:2019 6.6.2.1, 6.6.2.2 |
|||
PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). |
FIPPS 8: Security NIST SP 800-53 Rev. 5: AC-4, AC-10, SC-7, SC-10, SC-20 |
|||
PR.AC-P6: Individuals and devices are proofed and bound to credentials and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). |
FIPPS 8: Security NIST SP 800-53 Rev. 5: AC-14, AC-16, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11, IA-12, PE-2, PS-3 NIST SP 800-63-3 |
|||
Protective Technology (PR.PT-P): Technical security solutions are managed to ensure the security and resilience of systems/products/services and associated data, consistent with related policies, processes, procedures, and agreements. |
PR.PT-P3: Communications and control networks are protected. |
NIST SP 800-53 Rev. 5 (draft): AC-4, AC-17, AC-18, CP-8, SC-7 SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43 |