Map: NIST CSF v1.1 to v2.0
Functions and categories comparison table based on version 2.0 to 1.1. A manual review of the changes is recommended. 71 categories and subcategories are fully mapped.
| v2.0 Function | Category | Activities | v1.1 | Category | Activities |
|---|---|---|---|---|---|
| Govern (GV) | The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. | previously ID.GV | |||
| Organization Context (GV.OC) | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization’s cybersecurity risk management decisions are understood. | previously ID.BE | |||
| Risk Management Strategy (GV.RM) | The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions. | previously ID.RM | |||
| Roles, Responsibilities, and Authorities (GV.RR) | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated. | N/A | |||
| Policy, Processes, and Procedures (GV.PO) | Organizational cybersecurity policy is established, communicated, and enforced. | N/A | |||
| Oversight (GV.OV) | Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy. | N/A | |||
| Cybersecurity Supply Chain Risk Management (GV.SC) | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders. | previously ID.SC | |||
| Identify (ID) | The organization’s current cybersecurity risks are understood. | Identify | The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. | ||
| Asset Management (ID.AM) | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. | Asset Management | Identifying physical and software assets within the organization to establish the basis of an Asset Management program. | ||
| Risk Assessment (ID.RA) | The cybersecurity risk to the organization, assets, and individuals is understood by the organization. | Risk Assessment | Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organization’s Risk Assessment. | ||
| Improvement (ID.IM) | Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions. | N/A | |||
| now GV.OC | Business Environment | Identifying the Business Environment the organization supports, including the organization’s role in the supply chain and the organizations place in the critical infrastructure sector. | |||
| now GV | Governance | Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the organization’s cybersecurity capabilities. | |||
| now GV.RM | Risk Management Strategy | Identifying a Risk Management Strategy for the organization, including establishing risk tolerances. | |||
| now GV.SC | Supply Chain Risk Management | Identifying a Supply Chain Risk Management strategy, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks. | |||
| Protect (PR) | Safeguards to manage the organization’s cybersecurity risks are used. | Protect | The Protect Function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. | ||
| Identity Management, Auth and Access Control (PR.AA) | Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access. | Identity Management, Auth and Access Control | Protections for Identity Management and Access Control within the organization, including physical and remote access. | ||
| Awareness and Training (PR.AT) | The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks. | Awareness and Training | Empowering staff within the organization through Awareness and Training, including role-based and privileged user training. | ||
| Data Security (PR.DS) | Data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. | Data Security | Establishing Data Security protection consistent with the organization’s risk strategy to protect information confidentiality, integrity, and availability. | ||
| Platform Security | (PR.PS)The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability. | N/A | |||
| Technology Infrastructure Resilience (PR.IR) | Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience. | N/A | |||
| now in various other functions and subcategories | Info Protection Processes and Procedures | Implementing Information Protection Processes and Procedures to maintain and manage the protection of information systems and assets. | |||
| now ID.AM-08 | Maintenance | Protecting organizational resources through Maintenance, including remote maintenance activities. | |||
| now in various PR categories | Protective Technologies | Managing Protective Technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures, and agreements. | |||
| Detect (DE) | Possible cybersecurity attacks and compromises are found and analyzed. | Detect | The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events. | ||
| Continuous Monitoring (DE.CM) | Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events. | N/A | |||
| Adverse Event Analysis (DE.AE) | Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents. | N/A | |||
| removed | Anomalies and Events | Ensuring Anomalies and Events are detected and their potential impact is understood. | |||
| removed | Security Continuous Monitoring | Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures, including network and physical activities. | |||
| now in various other functions and subcategories | Detection Processes | Maintaining Detection Processes to provide awareness of anomalous events. | |||
| Respond (RS) | Actions regarding a detected cybersecurity incident are taken. | Respond | The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. | ||
| RS.MA | Incident Management | Responses to detected cybersecurity incidents are managed. | previously RS.RP | ||
| RS.AN | Incident Analysis | Investigations are conducted to ensure effective response and support forensics and recovery activities. | Analysis | Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents. | |
| RS.CO | Incident Response Reporting and Communication | Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies. | |||
| RS.MI | Incident Mitigation | Activities are performed to prevent expansion of an event and mitigate its effects. | Mitigation | Mitigation activities are performed to prevent expansion of an event and to resolve the incident. | |
| now RS.MA | Response Planning | Ensuring Response Planning process are executed during and after an incident. | |||
| now RS.MA | Communications | Managing Communications during and after an event with stakeholders, law enforcement, and external stakeholders as appropriate. | |||
| now ID.IM | Improvements | The organization implements Improvements by incorporating lessons learned from current and previous detection/response activities. | |||
| Recover (RC) | The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident. | Recover | The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident. | ||
| Incident Recovery Plan Execution (RC.RP) | Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents. | N/A | |||
| Incident Recovery Communication (RC.RO) | Restoration activities are coordinated with internal and external parties. | N/A | |||
| now RC.RP | Recovery Planning | Ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents. | |||
| now ID.IM | Improvements | Implementing Improvements based on lessons learned and reviews of existing strategies. | |||
| now RC.CO | Communications | Internal and external Communications are coordinated during and following the recovery from a cybersecurity incident. |