...
Control | SubControl | IG | SubControl Description | Coverage | Info |
---|---|---|---|---|---|
1 | 1 | 1 | Establish and Maintain Detailed Enterprise Asset Inventory | Facilitates
| |
1 | 2 | 1 | Address Unauthorized Assets | Facilitates | |
1 | 3 | 2 | Utilize an Active Discovery Tool | Partial | |
1 | 4 | 2 | Use DHCP Logging to update asset inventory | ||
1 | 5 | 3 | Use a Passive Asset Discovery Tool | ||
2 | 1 | 1 | Establish and Maintain a Software Inventory | Facilitates | |
2 | 2 | 1 | Ensure Authorized Software is Currently Supported | Facilitates | |
2 | 3 | 1 | Address Unauthorized Software | Facilitates | |
2 | 4 | 2 | Utilize Automated Software Inventory Tools | Partial | |
2 | 5 | 2 | Allowlist Authorized Software | Facilitates | |
2 | 6 | 2 | Allowlist Authorized Libraries | ||
2 | 7 | 3 | Allowlist Authorized Scripts | ||
3 | 1 | 1 | Establish and Maintain a Data Management Process | ||
3 | 2 | 1 | Establish and Maintain a Data Inventory | Facilitates | |
3 | 3 | 1 | Configure Data Access Control Lists | ||
3 | 4 | 1 | Enforce Data Retention | ||
3 | 5 | 1 | Securely Dispose of Data | ||
3 | 6 | 1 | Encrypt Data on End-User Devices | ||
3 | 7 | 2 | Establish and Maintain a Data Classification Scheme | ||
3 | 8 | 2 | Document Data Flows | ||
3 | 9 | 2 | Encrypt Data on Removable Media | ||
3 | 10 | 2 | Encrypt Sensitive Data In Transit | ||
3 | 11 | 2 | Encrypt Sensitive Data at Rest | ||
3 | 12 | 2 | Segment Data Processing and Storage Based on Sensitivity | ||
3 | 13 | 3 | Deploy a Data Loss Prevention Solution | Facilitates | |
3 | 14 | 3 | Log Sensitive Data Access | ||
4 | 1 | 1 | Establish and Maintain a Secure Configuration Process | Facilitates | |
4 | 2 | 1 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | ||
4 | 3 | 1 | Configure Automatic Session Locking on Enterprise Assets | Facilitates | |
4 | 4 | 1 | Implement and Manage a Firewall on Servers | Facilitates | |
4 | 5 | 1 | Implement and Manage a Firewall on End-User Devices | Facilitates | |
4 | 6 | 1 | Securely Manage Enterprise Assets and Software | ||
4 | 7 | 1 | Manage Default Accounts on Enterprise Assets and Software | Facilitates | |
4 | 8 | 2 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | Facilitates | |
4 | 9 | 2 | Configure Trusted DNS Servers on Enterprise Assets | ||
4 | 10 | 2 | Enforce Automatic Device Lockout on Portable End-User Devices | Facilitates | |
4 | 11 | 2 | Enforce Remote Wipe Capability on Portable End-User Devices | ||
4 | 12 | 3 | Separate Enterprise Workspaces on Mobile End-User Devices | ||
5 | 1 | 1 | Establish and Maintain an Inventory of Accounts | Facilitates | |
5 | 2 | 1 | Use Unique Passwords | Facilitates | |
5 | 3 | 1 | Disable Dormant Accounts | Facilitates | |
5 | 4 | 1 | Restrict Administrator Privileges to Dedicated Administrator Accounts | ||
5 | 5 | 2 | Establish and Maintain an Inventory of Service Accounts | Facilitates | |
5 | 6 | 2 | Centralize Account Management | ||
6 | 1 | 1 | Establish an Access Granting Process | ||
6 | 2 | 1 | Establish an Access Revoking Process | ||
6 | 3 | 1 | Require MFA for Externally-Exposed Applications | ||
6 | 4 | 1 | Require MFA for Remote Network Access | ||
6 | 5 | 1 | Require MFA for Administrative Access | ||
6 | 6 | 2 | Establish and Maintain an Inventory of Authentication and Authorization Systems | ||
6 | 7 | 2 | Centralize Access Control | ||
6 | 8 | 3 | Define and Maintain Role-Based Access Control | ||
7 | 1 | 1 | Establish and Maintain a Vulnerability Management Process | Facilitates | |
7 | 2 | 1 | Establish and Maintain a Remediation Process | Facilitates | |
7 | 3 | 1 | Perform Automated Operating System Patch Management | Partial | |
7 | 4 | 1 | Perform Automated Application Patch Management | Partial | |
7 | 5 | 2 | Perform Automated Vulnerability Scans of Internal Enterprise Assets | Fully | |
7 | 6 | 2 | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets | Fully | |
7 | 7 | 2 | Remediate Detected Vulnerabilities | Partial | |
8 | 1 | 1 | Establish and Maintain an Audit Log Management Process | ||
8 | 2 | 1 | Collect Audit Logs | ||
8 | 3 | 1 | Ensure Adequate Audit Log Storage | ||
8 | 4 | 2 | Standardize Time Synchronization | Facilitates | |
8 | 5 | 2 | Collect Detailed Audit Logs | ||
8 | 6 | 2 | Collect DNS Query Audit Logs | ||
8 | 7 | 2 | Collect URL Request Audit Logs | ||
8 | 8 | 2 | Collect Command-Line Audit Logs | ||
8 | 9 | 2 | Centralize Audit Logs | ||
8 | 10 | 2 | Retain Audit Logs | ||
8 | 11 | 2 | Conduct Audit Log Reviews | ||
8 | 12 | 3 | Collect Service Provider Logs | ||
9 | 1 | 1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Facilitates | |
9 | 2 | 1 | Use DNS Filtering Services | ||
9 | 3 | 2 | Maintain and Enforce Network-Based URL Filters | ||
9 | 4 | 2 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | ||
9 | 5 | 2 | Implement DMARC | ||
9 | 6 | 2 | Block Unnecessary File Types | ||
9 | 7 | 3 | Deploy and Maintain Email Server Anti-Malware Protections | ||
10 | 1 | 1 | Deploy and Maintain Anti-Malware Software | ||
10 | 2 | 1 | Configure Automatic Anti-Malware Signature Updates | ||
10 | 3 | 1 | Disable Autorun and Autoplay for Removable Media | ||
10 | 4 | 2 | Configure Automatic Anti-Malware Scanning of Removable Media | ||
10 | 5 | 2 | Enable Anti-Exploitation Features | ||
10 | 6 | 2 | Centrally Manage Anti-Malware Software | ||
10 | 7 | 3 | Use Behavior-Based Anti-Malware Software | ||
11 | 1 | 1 | Establish and Maintain a Data Recovery Process | ||
11 | 2 | 1 | Perform Automated Backups | ||
11 | 3 | 1 | Protect Recovery Data | ||
11 | 4 | 1 | Establish and Maintain an Isolated Instance of Recovery Data | ||
11 | 5 | 2 | Test Data Recovery | ||
12 | 1 | 1 | Ensure Network Infrastructure is Up-to-Date | Facilitates | |
12 | 2 | 2 | Establish and Maintain a Secure Network Architecture | ||
12 | 3 | 2 | Securely Manage Network Infrastructure | ||
12 | 4 | 2 | Establish and Maintain Architecture Diagram(s) | ||
12 | 5 | 2 | Centralize Network Authentication, Authorization, and Auditing (AAA) | ||
12 | 6 | 2 | Use of Secure Network Management and Communication Protocols | ||
12 | 7 | 2 | Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure | ||
12 | 8 | 3 | Establish and Maintain Dedicated Computing Resources for All Administrative Work | ||
13 | 1 | 2 | Centralize Security Event Alerting | ||
13 | 2 | 2 | Deploy a Host-Based Intrusion Detection Solution | ||
13 | 3 | 2 | Deploy a Network Intrusion Detection Solution | ||
13 | 4 | 2 | Perform Traffic Filtering Between Network Segments | ||
13 | 5 | 2 | Manage Access Control for Remote Assets | ||
13 | 6 | 2 | Collect Network Traffic Flow Logs | ||
13 | 7 | 3 | Deploy a Host-Based Intrusion Prevention Solution | ||
13 | 8 | 3 | Deploy a Network Intrusion Prevention Solution | ||
13 | 9 | 3 | Deploy Port-Level Access Control | ||
13 | 10 | 3 | Perform Application Layer Filtering | ||
13 | 11 | 3 | Tune Security Event Alerting Thresholds | ||
14 | 1 | 1 | Establish and Maintain a Security Awareness Program | ||
14 | 2 | 1 | Train Workforce Members to Recognize Social Engineering Attacks | ||
14 | 3 | 1 | Train Workforce Members on Authentication Best Practices | ||
14 | 4 | 1 | Train Workforce on Data Handling Best Practices | ||
14 | 5 | 1 | Train Workforce Members on Causes of Unintentional Data Exposure | ||
14 | 6 | 1 | Train Workforce Members on Recognizing and Reporting Security Incidents | ||
14 | 7 | 1 | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates | ||
14 | 8 | 1 | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks | ||
14 | 9 | 2 | Conduct Role-Specific Security Awareness and Skills Training | ||
15 | 1 | 1 | Establish and Maintain an Inventory of Service Providers | ||
15 | 2 | 2 | Establish and Maintain a Service Provider Management Policy | ||
15 | 3 | 2 | Classify Service Providers | ||
15 | 4 | 2 | Ensure Service Provider Contracts Include Security Requirements | ||
15 | 5 | 3 | Assess Service Providers | ||
15 | 6 | 3 | Monitor Service Providers | ||
15 | 7 | 3 | Securely Decommission Service Providers | ||
16 | 1 | 2 | Establish and Maintain a Secure Application Development Process | ||
16 | 2 | 2 | Establish and Maintain a Process to Accept and Address Software Vulnerabilities | ||
16 | 3 | 2 | Perform Root Cause Analysis on Security Vulnerabilities | ||
16 | 4 | 2 | Establish and Manage an Inventory of Third-Party Software Components | ||
16 | 5 | 2 | Use Up-to-Date and Trusted Third-Party Software Components | ||
16 | 6 | 2 | Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities | ||
16 | 7 | 2 | Use Standard Hardening Configuration Templates for Application Infrastructure | ||
16 | 8 | 2 | Separate Production and Non-Production Systems | ||
16 | 9 | 2 | Train Developers in Application Security Concepts and Secure Coding | ||
16 | 10 | 2 | Apply Secure Design Principles in Application Architectures | ||
16 | 11 | 2 | Leverage Vetted Modules or Services for Application Security Components | ||
16 | 12 | 3 | Implement Code-Level Security Checks | ||
16 | 13 | 3 | Conduct Application Penetration Testing | ||
16 | 14 | 3 | Conduct Threat Modeling | ||
17 | 1 | 1 | Designate Personnel to Manage Incident Handling | ||
17 | 2 | 1 | Establish and Maintain Contact Information for Reporting Security Incidents | ||
17 | 3 | 1 | Establish and Maintain an Enterprise Process for Reporting Incidents | ||
17 | 4 | 2 | Establish and Maintain an Incident Response Process | ||
17 | 5 | 2 | Assign Key Roles and Responsibilities | ||
17 | 6 | 2 | Define Mechanisms for Communicating During Incident Response | ||
17 | 7 | 2 | Conduct Routine Incident Response Exercises | ||
17 | 8 | 2 | Conduct Post-Incident Reviews | ||
17 | 9 | 3 | Establish and Maintain Security Incident Thresholds | ||
18 | 1 | 2 | Establish and Maintain a Penetration Testing Program | ||
18 | 2 | 2 | Perform Periodic External Penetration Tests | ||
18 | 3 | 2 | Remediate Penetration Test Findings | ||
18 | 4 | 3 | Validate Security Measures | ||
18 | 5 | 3 | Perform Periodic Internal Penetration Tests |
...