( RLD )


FASTCyberSS - NIST CSF







RvwCode=


Clr Crrt ID






All INOP items logged for

Add Asset ID


shghivd4u,20210525_1606GMT,ID.AM-1: Physical devices and systems within the organization are inventoried,INOP shghivd4u,20210525_1607GMT,ID.AM-4: External information systems are catalogued,INOP shghivd4u,20210525_1607GMT,ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established,INOP 6fsro9loa,20210525_2317GMT,ID.RA-1: Asset vulnerabilities are identified and documented,INOP 3fsu332tr,20210604_2033UTC,ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established,INOP 3fsu332tr,20210604_2034UTC,ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated,INOP 3fsu332tr,20210604_2034UTC,ID.BE-4: Dependencies and critical functions for delivery of critical services are established,INOP 3fsu332tr,20210604_2035UTC,ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations),INOP 3fsu332tr,20210604_2036UTC,ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners,INOP 3fsu332tr,20210604_2036UTC,ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed,INOP 3fsu332tr,20210604_2038UTC,ID.RA-4: Potential business impacts and likelihoods are identified,INOP 3fsu332tr,20210604_2106UTC,ID.AM-1: Physical devices and systems within the organization are inventoried,INOP b6o5ru51g,20210604_2234UTC,ID.AM-2: Software platforms and applications within the organization are inventoried,INOP b6o5ru51g,20210604_2235UTC,ID.AM-3: Organizational communication and data flows are mapped,INOP b6o5ru51g,20210604_2236UTC,ID.AM-4: External information systems are catalogued,INOP b6o5ru51g,20210604_2241UTC,ID.BE-3: Priorities for organizational mission, objectives, and activities a

re established and communicated,INOP b6o5ru51g,20210604_2247UTC,NIST CSF - ID, PR, DE, RS, RC,INOP b6o5ru51g,20210604_2247UTC,ID.AM-1: Physical devices and systems within the organization are inventoried,INOP b6o5ru51g,20210604_2255UTC,ID.BE-1: The organization_s role in the supply chain is identified and communicated,INOP b6o5ru51g,20210604_2255UTC,ID.BE-2: The organization_s place in critical infrastructure and its industry sector is identified and communicated,INOP jnb7tl7f8,20210604_2303UTC,ID.AM-1: Physical devices and systems within the organization are inventoried,INOP jnb7tl7f8,20210604_2303UTC,ID.AM-2: Software platforms and applications within the organization are inventoried,INOP jnb7tl7f8,20210604_2303UTC,ID.AM-3: Organizational communication and data flows are mapped,INOP jnb7tl7f8,20210604_2303UTC,ID.AM-4: External information systems are catalogued,INOP jnb7tl7f8,20210604_2303UTC,ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value,INOP jnb7tl7f8,20210604_2303UTC,ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established,INOP jnb7tl7f8,20210604_2303UTC,ID.BE-1: The organization_s role in the supply chain is identified and communicated,INOP jnb7tl7f8,20210604_2303UTC,ID.BE-2: The organization_s place in critical infrastructure and its industry sector is identified and communicated,INOP jnb7tl7f8,20210604_2303UTC,ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated,INOP jnb7tl7f8,20210604_2303UTC,ID.BE-4: Dependencies and critical functions for delivery of critical services are established,INOP jnb7tl7f8,20210604_2303UTC,ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations),INOP jnb7tl7f8,20210604_2303UTC,ID.GV-1: Organizational cybersecurity policy is established and comm

unicated,INOP jnb7tl7f8,20210604_2304UTC,ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners,INOP jnb7tl7f8,20210604_2304UTC,ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed,INOP jnb7tl7f8,20210604_2304UTC,ID.GV-4: Governance and risk management processes address cybersecurity risks,INOP jnb7tl7f8,20210604_2304UTC,ID.RA-1: Asset vulnerabilities are identified and documented,INOP jnb7tl7f8,20210604_2304UTC,ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources,INOP jnb7tl7f8,20210604_2304UTC,ID.RA-3: Threats, both internal and external, are identified and documented,INOP jnb7tl7f8,20210604_2304UTC,ID.RA-4: Potential business impacts and likelihoods are identified,INOP jnb7tl7f8,20210604_2304UTC,ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk,INOP jnb7tl7f8,20210604_2304UTC,ID.RA-6: Risk responses are identified and prioritized,INOP jnb7tl7f8,20210604_2304UTC,ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders,INOP jnb7tl7f8,20210604_2304UTC,ID.RM-2: Organizational risk tolerance is determined and clearly expressed,INOP jnb7tl7f8,20210604_2304UTC,ID.RM-3: The organization_s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis,INOP jnb7tl7f8,20210604_2304UTC,ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders,INOP jnb7tl7f8,20210604_2304UTC,ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process,INOP jnb7tl7f8,20210604_2305UTC,ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization_s cybersecurity progra

m and Cyber Supply Chain Risk Management Plan.,INOP jnb7tl7f8,20210604_2305UTC,ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.,INOP dak3j9vl0,20210604_2306UTC,ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations),INOP jnb7tl7f8,20210604_2307UTC,ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers,INOP jnb7tl7f8,20210604_2307UTC,PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes,INOP jnb7tl7f8,20210604_2307UTC,PR.AC-2: Physical access to assets is managed and protected,INOP jnb7tl7f8,20210604_2307UTC,PR.AC-3: Remote access is managed,INOP jnb7tl7f8,20210604_2307UTC,PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties,INOP jnb7tl7f8,20210604_2308UTC,PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation),INOP jnb7tl7f8,20210604_2308UTC,PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions,INOP jnb7tl7f8,20210604_2310UTC,PR.AT-1: All users are informed and trained,INOP jnb7tl7f8,20210604_2310UTC,PR.AT-2: Privileged users understand their roles and responsibilities,INOP jnb7tl7f8,20210604_2310UTC,PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities,INOP jnb7tl7f8,20210604_2312UTC,PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals security and privacy risks and other organizational risks),INOP jnb7tl7f8,20210604_2312UTC,PR.AT-4: Senior executives understand their roles and responsibilities,INOP jnb7tl7f8,20210604_2312UTC,PR.AT-5: Physical and cybersecurity personnel understa

nd their roles and responsibilities,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-1: Data-at-rest is protected,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-2: Data-in-transit is protected,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-4: Adequate capacity to ensure availability is maintained,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-5: Protections against data leaks are implemented,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity,INOP jnb7tl7f8,20210604_2312UTC,PR.DS-7: The development and testing environment(s) are separate from the production environment,INOP jnb7tl7f8,20210604_2313UTC,PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity,INOP jnb7tl7f8,20210604_2313UTC,PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality),INOP jnb7tl7f8,20210604_2313UTC,PR.IP-2: A System Development Life Cycle to manage systems is implemented,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-3: Configuration change control processes are in place,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-4: Backups of information are conducted, maintained, and tested,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-6: Data is destroyed according to policy,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-7: Protection processes are improved,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-8: Effectiveness of protection technologies is shared,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-10: Response and recovery plans are tested,INOP jnb7tl7f8,20210604_2314UTC,PR.IP-11: Cybersecurity is includ

ed in human resources practices (e.g., deprovisioning, personnel screening),INOP jnb7tl7f8,20210604_2314UTC,PR.IP-12: A vulnerability management plan is developed and implemented,INOP jnb7tl7f8,20210604_2314UTC,PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools,INOP jnb7tl7f8,20210604_2314UTC,PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access,INOP jnb7tl7f8,20210604_2314UTC,PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy,INOP jnb7tl7f8,20210604_2314UTC,PR.PT-2: Removable media is protected and its use restricted according to policy,INOP jnb7tl7f8,20210604_2314UTC,PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities,INOP jnb7tl7f8,20210604_2315UTC,PR.PT-4: Communications and control networks are protected,INOP jnb7tl7f8,20210604_2315UTC,PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations,INOP jnb7tl7f8,20210604_2315UTC,DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed,INOP jnb7tl7f8,20210604_2315UTC,DE.AE-2: Detected events are analyzed to understand attack targets and methods,INOP jnb7tl7f8,20210604_2315UTC,DE.AE-3: Event data are collected and correlated from multiple sources and sensors,INOP jnb7tl7f8,20210604_2315UTC,DE.AE-4: Impact of events is determined,INOP jnb7tl7f8,20210604_2315UTC,DE.AE-5: Incident alert thresholds are established,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-1: The network is monitored to detect potential cybersecurity events,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-2: The physical environment is monitored to detect potential cybersecurity events,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-4: Malicious code is detect

ed,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-5: Unauthorized mobile code is detected,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed,INOP jnb7tl7f8,20210604_2315UTC,DE.CM-8: Vulnerability scans are performed,INOP jnb7tl7f8,20210604_2316UTC,DE.DP-2: Detection activities comply with all applicable requirements,INOP jnb7tl7f8,20210604_2316UTC,DE.DP-3: Detection processes are tested,INOP jnb7tl7f8,20210604_2316UTC,DE.DP-4: Event detection information is communicated,INOP jnb7tl7f8,20210604_2316UTC,DE.DP-5: Detection processes are continuously improved,INOP jnb7tl7f8,20210604_2316UTC,RS.RP-1: Response plan is executed during or after an incident,INOP jnb7tl7f8,20210604_2316UTC,RS.CO-1: Personnel know their roles and order of operations when a response is needed,INOP jnb7tl7f8,20210604_2316UTC,RS.CO-2: Incidents are reported consistent with established criteria,INOP jnb7tl7f8,20210604_2316UTC,RS.CO-3: Information is shared consistent with response plans,INOP jnb7tl7f8,20210604_2316UTC,RS.CO-4: Coordination with stakeholders occurs consistent with response plans,INOP jnb7tl7f8,20210604_2317UTC,RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness,INOP jnb7tl7f8,20210604_2317UTC,RS.AN-1: Notifications from detection systems are investigated,INOP jnb7tl7f8,20210604_2317UTC,RS.AN-2: The impact of the incident is understood,INOP jnb7tl7f8,20210604_2317UTC,RS.AN-2: The impact of the incident is understood,INOP jnb7tl7f8,20210604_2317UTC,RS.AN-3: Forensics are performed,INOP jnb7tl7f8,20210604_2317UTC,RS.AN-4: Incidents are categorized consistent with response plans,INOP 8tl0bd41s,20210604_2317UTC,PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy,INOP jnb7tl7f8,20210604_2318UTC,RS.AN-5: Processes are established to receive

, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers),INOP jnb7tl7f8,20210604_2318UTC,RS.MI-1: Incidents are contained,INOP jnb7tl7f8,20210604_2318UTC,RS.MI-2: Incidents are mitigated,INOP jnb7tl7f8,20210604_2318UTC,RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks,INOP jnb7tl7f8,20210604_2318UTC,RS.IM-1: Response plans incorporate lessons learned,INOP jnb7tl7f8,20210604_2318UTC,RS.IM-2: Response strategies are updated,INOP jnb7tl7f8,20210604_2318UTC,RC.RP-1: Recovery plan is executed during or after a cybersecurity incident,INOP jnb7tl7f8,20210604_2318UTC,RC.IM-1: Recovery plans incorporate lessons learned,INOP jnb7tl7f8,20210604_2318UTC,RC.IM-2: Recovery strategies are updated,INOP jnb7tl7f8,20210604_2318UTC,RC.CO-1: Public relations are managed,INOP jnb7tl7f8,20210604_2319UTC,RC.CO-2: Reputation is repaired after an incident,INOP jnb7tl7f8,20210604_2319UTC,RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams,INOP s9f04hnja,20210630_1702UTC,ID.BE-1: The organization_s role in the supply chain is identified and communicated,INOP s9f04hnja,20210630_2151UTC,ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations),INOP s9f04hnja,20210701_0019UTC,ID.GV-1: Organizational cybersecurity policy is established and communicated,INOP s9f04hnja,20210701_0025UTC,ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners,INOP ufm4h64ss,20210706_1449UTC,ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners,INOP 0vc923cm7,20210716_0225UTC,ID.AM-3: Organizational communication and data flows are mapped,INOP 0vc923cm7,20210716_0227UTC,ID.AM-4: External information systems are catalogued,INOP 0vc923cm

7,20210716_0229UTC,ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value,INOP