NIST Risk Prioriti

Functions metrics
Service Cat

Information Secu
Function Category

NIST Asset Management

Cybersecurity Business Environment

Enterprise-
Aligned Identify Governance
Framework:
Risk Assessment
Risk Management
- Risks Supply Chain Risk
- Service Management

Catalog
- Priorities Identity Management
- Maturity and Access Control

- Metrics
- 3-Year
Project, Awareness and Training

Program & Data Security

Initiative Protect
Roadmap Information Protection
Processes and
Procedures

IT Service
Management Maintenance
Life-Cycle
Process Protective Technology
Improvement
Life-Cycle
Process
Improvement
Anomalies and Events

Detect Security Continuous

Monitoring

Detection Processes

Response Planning
Communications
Respond Analysis
Mitigation
Improvements
Recovery Planning

Recover Improvements

Communications

Aligned Standards
Risk Priorities & Appetite - Internal/External "Tiers" -
metrics Maturity Map
Service Catalog Policy Alignment

Information Security Risk-Aligned Framework Maturity Model

CSC Top NIST

InfoSec Service Catalog Risk FY-18 $ FY-19 $ FY-20 $ 0 1 2 3
20 Pol.

Ops. Sec. - Asset Management 4 $xxx DI

- Physical and Environmental 7 1,2 $xxx DM
Governance - Regulatory, Legal, Budgets: AP Metrics
Compliance All - Funded
$xxx -

Governance UnfundedAU -
PL
- Security Information Management
5 - $xxx Proposed PM-
Security and Risk Assessments 5a 4 $xxx $xxx AR
Governance - Risk Management 5b - AR

Vendor contract, Governance

CMM -
All - metrics
Identity and Access Management (IAM)
5, 9
Key initiatives
- IAM
- SSO 2
11, 12
13, 14
nested and aligned
$xxx
AC
IA
- NAC 3 $xxx
15, 16
- RBAC 6 $xxx
9 $xxx $xxx $xxx
AT
Awareness and Training Metrics
10 5,17 $xxx PS
Security Architecture and Design (Life
CA
Cycle) 13 1,2 $xxx
Governance - Proactive Protection -
- Policies, Standards, Guidelines 3, 4
7, 9 MP
- ITSM Process governance and
10, 11 PE
maturity Metrics (e-discovery)
18, 19 SA
- Acquisition, Development and
SC
Maintenance 11
- Application development life cycle
3 ,4
Operations Security - Asset
5, 11 MA
Maintenance
12
14 $xxx
Operations Security 5, 6
Challenges
- Change Management
- Information Management and
7, 8
11, 13
CM identified
Encryption 15 14, 16 $xxx $xxx $xxx
Challenges
identified
Monitor, Alerts and Reports - SIEM-
6, 9
Vuln SI Metrics
12, 19
PCI-PII-PHI 1b $xxx $xxx $xxx
Monitor, Alerts and Reports 4, 8
1a 16, 19 $xxx $xxx
Monitor, Alerts and Reports - DLP $xxx
Current State
1 19 $xxx $xxx $xxx
Gov. - Bus. Impact Analysis 5c 19
Incident Response - Alignment 8d 19
Incident Response - Risk 8a 6,19 $xxx
Incident Response 8c 4,19 IR
Incident Response - Maturity 8e 19,20 $xxx
Ops. Security - Bus. Continuity 8 10 $xxx $xxx CP
Maturit
Ops. Security - Downtime Mgmt. progres
Ops. Security - Svc. Alignment
8b 20 identifie
12 - $xxx

ned Standards Continuous Process and

Business View / Priorities / Risk-Alignment

"- Three (or more) Year Action Plan
ity Map - NIST "Profiles" by Quarter

Maturity Model Action Plan FY2016 Action Plan FY2017 Action Plan FY2018

FY18 FY18 FY18 FY18 FY19 FY19 FY19 FY19 FY20 FY20 FY20 FY20
4 5 6
-Q1 -Q2 -Q3 -Q4 -Q1 -Q2 -Q3 -Q4 -Q1 -Q2 -Q3 -Q4

Asset Strategy Review Project 7A

Metrics Risk Program

Policy Dev. Policy Review

Automate
Dashboard
Integration 1Integration 2Integration 3 Review
CMM - Sample Projects and
metrics Initiatives

NAC SSO - Phase 0 IAM SSO - Phase 3

Metrics Alignment Review Review

Report IT Report Report

Servi
ce
Man
MD age Revi
Metrics (e-discovery)
M ment ew
-
Auto Full
Asse
mati Asse
t
on t
Man
Man
age
age
Challenges ment
Chan
Revi
ment
ew
ge
identified ITSM
Align
Man
Chan
ge
age
Mgm
ment
t.
Challenges
identified
Exter Exter
nal nal
Metrics Pen-Test Pen-Test Pen-Test Pen-Test
Pen- Pen-
Test Test
Expand 3 Expand 4 Expand 5
NIST Cybersecurity Framework,
Current State DLPBrian
Phase 2 Ventura,
DLP Phase 3 Christopher
Paidhrin, and Dean Musson
Future
BIA - Phase 1
Architecture
BIA - Phase 3
Revision 11.0 - 2013-2017
Process Mapping
State
Risk Mapping Formal Review Formal Review
CIRT Test 1 CIRT Full Test CIRT Test 3
Extern
Remediate External Risk Assessment Remediate

Maturity - DR Plan
Stan
Test BC Plan
Test
Test BC Plan
Test
dardi Dow Dow
progress Document ze ntim ntim
identified Train
ing
e
Plan
e
Plan
LMS Review Mid-year LMS Review Mid-year LMS Review Mid-year

ous Process and Service Improvement

ignment
Functions Sub-Category - Service CSC or NIST Core P Maturity "Tiers" or Maturity Three Year (or more) Action Plan (Implementation) based on "Profiles" -- Identified Risks,
Catalog Info. References o specifics Map (see legend) Priorities, Maturity, and Capabilities. Quarter-by-quarter initiative or project time-lines and
Cat. IDs Risk Priorities & Appetite - Fun l (process, measures of success
Internal/External metrics ded i policy,
- c document
Information Security Risk-Aligned Framework Maturity Roadmap FY2017
Unf y ation and
Category und
CSC Top NIST Policyautomatio
Maturity 1 2 3 4 5
Function Unique Links Category Priority Organization Service Catalog Action Plan FY2018-2019 Action Plan FY2019-2020 Action Plan FY2020-2021
Identifier
Twenty A n), Score
ed - Family used Initial Repeatable Defined Managed Optimizing
CMDB system, Cisco Prime
Pro l to Vulnerability Management Program Expansion Network Access Control Evaluation Map Data Flows
Vulnerability Scanner, CMDB system
Visio
pos i calculate Vulnerability Management Passive Scan Implementation
Challenges across
CASB Evaluation
Software Whitelising Evaluation
AM Asset Management 1, 2
Infrastructure
(CASB) ed DI,g DM maturity
26.7%
services are readily
Review Asset Management Roles and Responsibilities

n map identified Align with Organizational Mission

m
BE Business Environment
Budget items roll up to AP 36.0%
e
high level catagory n Sample
Security Policy
Security Policy, (Eramba GRC) t PL,
Review Roles and Responsibilities
Review Information Security Policies and Architecture
Review Roles and Responsibilities
ProjectsReview
Review Information Security Policies and Architecture
Review Roles and Responsibilities
Information Security Policies and Architecture
AU,
GV Governance Governance Eramba GRC
PM
26.3% GRC Framework Evaluation and Project
HIPAA and PCI Assessment
GRC Framework Project Phase 1 and Phase 2
HIPAA and PCI Assessment and GRC Framework Project Phase 3 and Phase 4
HIPAA and PCI Assessment
IDENTIFY

Initiatives
Calapse and Expand Vulnerability Management, Penetration Testing, Risk Vulnerability Management Expansion Project Evaluate MS-ISAC Threat Intelligence Cardholder Data Risk Assessments
Assessments Expand Threat Intelligence Cardholder Data Risk Assessments Risk Assessment Improvements
RA sub-sections
Risk Assessments and
Risk Assessment MS-ISAC Threat Inteligence 4 AR 35.0% Cardholder Data Risk Assessments Risk Assessment Improvements
Vulnerability Management, Penetration Testing, Risk Risk Assessment Improvements
columns above Assessments
Risk Assessments
CMM and Review Risk Process Review Risk Process Review Risk Process

RM Risk Management Risk Management AR 15.0%

metrics Review Tolerance Review Tolerance Review Tolerance

agnostic
Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process
Review Vendors Review Vendors Review Vendors
SC Supply Chain Risk Management
Supply Chain Risk SA 26.0%
Management

Active Directory, ADFS, (IAM) Identity Access Management Evaluation Privleged Access Management Eval Identity Access Mgmt Project
(VPN), (IAM), (MDM) Remote Access Expansion Network Access Control Evaluation MDM Evaluation
AC Identity Management (PAM), (NAC) 5, 11-14, AC, IA 18.0% Review Active Directory Review Active Directory Review Active Directory
and Access Control Firewall, Web Filter, (NAC) 16, 18 Web Content Filter Project Firewall Refresh Project

Bitlocker, Storage Encryption, Certificate Services SAN Encryption at rest Data Classification Project Encourage compliance with 100% encryption policy
TLS, Certificate Services Workstation Certificates Data Loss Prevention Evaluation Evaluate FIM solution
DS Data Security Operational Monitoring, External Monitoring 1, 2, 13, CA 8.6% Policy to encrypt all network connections (3yr compliance) Evaluate FIM solution
Data Loss Prevention, Digital Rights Management 14
Tripwire
CIS Benchmarks, DISA STIGs Document Plan Review Plan
Information Protection IT Change Control
Backup/Restore solution 3, 4, 7, MP, PE, Maturity and
IP Processes and 14.6%
progress also
PROTECT

Procedures
Incident Response Plan, Business Continuity Plan 11, 19 SA, SC
Incident Response Plan, Business Continuity Plan
Vulnerability Management, 3rd Party identified
MA Maintenance 5, 12 MA 22.5%

Log Management, SIEM SIEM management/ rules SIEM Tuning

(IAM) 5, 6, 8, SIEM Tuning
PT Protective Technology Some Sections Hidden to 11, 13, CM 10.0%
14, 18
illustrate function cleanly
ECT O
N
D
R

DET P
E
S
RECOV

CO Communications 19 10.0%
ER

Current State Progress Areas

Future State Challenge Areas

NIST Cybersecurity Framework, Brian Ventura, Maturity level of "Defined",

Christopher Paidhrin, and Dean Musson "Relational", or "Managed" (3,
Revision 11.0 - 2013-2017 or mid-line), is 'realistic' near-
term goal
Information Security Risk-Aligned Framework Maturity Roadmap FY2017
Category CSC Top
Function Unique Links Category Cybersecurity Framework Control Priority Organization Service Catalog Twenty FY2016 $ FY2017 $ FY2018 $ FY2019 $ FY2020 $ NIST Policy
Family Process Level Policy Level Documentation
Level Automation Level Process
Value Policy Value Document
Value
Automate
Value
Maturity
Score
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimizing
Action Plan FY2018-2019 Action Plan FY2019-2020 Action Plan FY2020-2021 Action Plan FY2021-2022 Action Plan FY2022-2023
Identifier

CMDB system, Cisco Prime Vulnerability Management Program Expansion Network Access Control Evaluation Map Data Flows Map Data Flows Map Data Flows
Vulnerability Scanner, CMDB system Vulnerability Management Passive Scan Implementation CASB Evaluation
AM Infrastructure Asset Management Operational Security - Asset Management Visio 1, 2 35,000 35,000 10,000 60,000 10,000 DI, DM 26.7% Software Whitelising Evaluation
(CASB) Review Asset Management Roles and Responsibilities

ID.AM-1: Physical devices and systems within the organization are CMDB system, Cisco Prime 1 Standardized Informal Formal Partial 30% 5% 10% 5% 50% Vulnerability Management Program Expansion Network Access Control Evaluation
inventoried Vulnerability Management Passive Scan Implementation

ID.AM-2: Software platforms and applications within the organization are Vulnerability Scanner, CMDB system 2 10,000 10,000 10,000 10,000 10,000 Measured None Formal Full 40% 0% 10% 10% 60% CASB Evaluation
inventoried Software Whitelising Evaluation

ID.AM-3: Organizational communication and data flows are mapped Visio 1 Inconsistent None Formal None 10% 0% 10% 0% 20% Map Data Flows Map Data Flows Map Data Flows

ID.AM-4: External information systems are catalogued (CASB) 1 25,000 25,000 0 50,000 0 None None None None 0% 0% 0% 0% 0%

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and

software) are prioritized based on their classification, criticality, and Inconsistent None Informal None 10% 0% 5% 0% 15%
business value
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce
and third-party stakeholders (e.g., suppliers, customers, partners) are Inconsistent Informal None None 10% 5% 0% 0% 15% Review Asset Management Roles and Responsibilities
established
Align with Organizational Mission

BE Governance Business Environment Strategic Security - Business Environment 0 0 0 0 0 AP 36.0%

ID.BE-1: The organization’s role in the supply chain is identified and Inconsistent None None None 10% 0% 0% 0% 10%
communicated

ID.BE-2: The organization’s place in critical infrastructure and its industry Inconsistent Defined Formal Partial 10% 10% 10% 5% 35%
sector is identified and communicated

ID.BE-3: Priorities for organizational mission, objectives, and activities are Standardized None Improvement Partial 30% 0% 20% 5% 55% Align with Organizational Mission
established and communicated Process

ID.BE-4: Dependencies and critical functions for delivery of critical Inconsistent Audited Formal Partial 10% 15% 10% 5% 40%
services are established

ID.BE-5: Resilience requirements to support delivery of critical services Metrics and

are established for all operating states (e.g. Inconsistent Audited Reporting None 10% 15% 15% 0% 40%
under duress/attack, during recovery, normal operations)
Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities
Security Policy Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture
Security Policy, (Eramba GRC) AU, PL, GRC Framework Evaluation and Project GRC Framework Project Phase 1 and Phase 2 GRC Framework Project Phase 3 and Phase 4 Review GRC Framework HIPAA and PCI Assessment
GV Governance Governance Strategic Security - Governance and Compliance 250,000 100,000 100,000 100,000 100,000 26.3%
Eramba GRC PM HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment
IDENTIFY

ID.GV-1: Organizational cybersecurity policy is established Security Policy Inconsistent Defined Formal None 10% 10% 10% 0% 30% Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities
and communicated

ID.GV-2: Cybersecurity roles and responsibilities are coordinated and Security Policy, (Eramba GRC) 250,000 100,000 100,000 100,000 100,000 Inconsistent Defined Formal None 10% 10% 10% 0% 30% Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture
aligned with internal roles and external partners

ID.GV-3: Legal and regulatory requirements regarding cybersecurity,

including privacy and civil liberties obligations, are understood and Eramba GRC Inconsistent Defined Formal None 10% 10% 10% 0% 30% GRC Framework Evaluation and Project GRC Framework Project Phase 1 and Phase 2 GRC Framework Project Phase 3 and Phase 4 Review GRC Framework
managed

ID.GV-4: Governance and risk management processes address Inconsistent Informal None None 10% 5% 0% 0% 15% HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment
cybersecurity risks
Vulnerability Management, Penetration Testing, Risk Vulnerability Management Expansion Project Evaluate MS-ISAC Threat Intelligence Cardholder Data Risk Assessments Cardholder Data Risk Assessments Cardholder Data Risk Assessments
IDENTIFY

Assessments Expand Threat Intelligence Cardholder Data Risk Assessments Risk Assessment Improvements Risk Assessment Improvements Risk Assessment Improvements
RA Risk Assessments Risk Assessment Strategic Security - Risk Assessments MS-ISAC Threat Inteligence 4 0 0 0 0 0 AR 35.0% Cardholder Data Risk Assessments Risk Assessment Improvements
Vulnerability Management, Penetration Testing, Risk Risk Assessment Improvements
Assessments
Risk Assessments

ID.RA-1: Asset vulnerabilities are identified and documented Vulnerability Management, Penetration 4 Repeatable Informal Informal None 20% 5% 5% 0% 30% Vulnerability Management Expansion Project
Testing, Risk Assessments

ID.RA-2: Cyber Threat inteligence is received from information sharing MS-ISAC Threat Inteligence 4 Inconsistent Defined Informal None 10% 10% 5% 0% 25% Expand Threat Intelligence Evaluate MS-ISAC Threat Intelligence
forums and sources

ID.RA-3: Threats, both internal and external, are identified and Vulnerability Management, Penetration Inconsistent Defined Informal Partial 10% 10% 5% 5% 30%
documented Testing, Risk Assessments

ID.RA-4: Potential business impacts and likelihoods are identified Risk Assessments Inconsistent Audited Informal None 10% 15% 5% 0% 30% Cardholder Data Risk Assessments Cardholder Data Risk Assessments Cardholder Data Risk Assessments Cardholder Data Risk Assessments Cardholder Data Risk Assessments

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to Risk Assessments Repeatable Embedded Informal None 20% 20% 5% 0% 45%
determine risk

ID.RA-6: Risk responses are identified and prioritized Risk Assessments Inconsistent Defined Improvement Full 10% 10% 20% 10% 50% Risk Assessment Improvements Risk Assessment Improvements Risk Assessment Improvements Risk Assessment Improvements Risk Assessment Improvements
Process
Review Risk Process Review Risk Process Review Risk Process Review Risk Process Review Risk Process
Review Tolerance Review Tolerance Review Tolerance Review Tolerance Review Tolerance
RM Risk Management Risk Management Strategic Security - Risk Management 0 0 0 0 0 AR 15.0%

ID.RM-1: Risk management processes are established, managed, and Repeatable None Informal None 20% 0% 5% 0% 25% Review Risk Process Review Risk Process Review Risk Process Review Risk Process Review Risk Process
agreed to by organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined and clearly Inconsistent None None None 10% 0% 0% 0% 10% Review Tolerance Review Tolerance Review Tolerance Review Tolerance Review Tolerance
expressed

ID.RM-3: The organization’s determination of risk tolerance is informed Inconsistent None None None 10% 0% 0% 0% 10%
by its role in critical infrastructure and sector specific risk analysis
Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process
Review Vendors Review Vendors Review Vendors Review Vendors Review Vendors
Supply Chain Risk Supply Chain Risk
SC Strategic Security - Supply Chain Risk Management 0 0 0 0 0 AR 22.0%
Management Management
ID.SC-1: Cyber supply chain risk
management processes are identified,
established, assessed, managed, and agreed Repeatable None Informal None 20% 0% 5% 0% 25% Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process
to by organizational stakeholders

ID.SC-2: Suppliers and third party

partners of information systems,
components, and services are identified, Repeatable Embedded Formal Partial 20% 20% 10% 5% 55% Review Vendors Review Vendors Review Vendors Review Vendors Review Vendors
prioritized, and assessed using a cyber
supply chain risk assessment process

ID.SC-3: Contracts with suppliers and

third-party partners are used to implement
appropriate measures designed to meet the Inconsistent None None None 10% 0% 0% 0% 10%
objectives of an organization’s
cybersecurity program and Cyber Supply
Chain Risk Management Plan.

ID.SC-4: Suppliers and third-party

partners are routinely assessed using
audits, test results, or other forms of Inconsistent None None None 10% 0% 0% 0% 10%
evaluations to confirm they are meeting
their contractual obligations.

ID.SC-5: Response and recovery planning

and testing are conducted with suppliers Inconsistent None None None 10% 0% 0% 0% 10%
and third-party providers
Identity Access Management Evaluation Privleged Access Management Eval Identity Access Mgmt Project
Active Directory, ADFS, (IAM) Remote Access Expansion MDM Evaluation
Identity Management and 5, 11-14,
AC Operational Security - Access Control (VPN), (IAM), (MDM) 520,000 10,000 0 20,000 0 AC, IA 17.1%
Access Control 16, 18

PR.AC-1: Identities and credentials are issued, managed , verified,

revoked, and audited for authorized devices, users Active Directory, ADFS, (IAM) 18 10,000 10,000 Inconsistent Defined Informal None 10% 10% 5% 0% 25% Identity Access Management Evaluation Privleged Access Management Eval Identity Access Mgmt Project
and processes

PR.AC-2: Physical access to assets is managed and protected Inconsistent Informal None None 10% 5% 0% 0% 15%

PR.AC-3: Remote access is managed (VPN), (IAM), (MDM) 12 500,000 Inconsistent Informal None None 10% 5% 0% 0% 15% Remote Access Expansion MDM Evaluation

PR.AC-4: Access permissions and authorizations are managed, (PAM), (NAC) 5, 14, 16, 18 Inconsistent Informal None None 10% 5% 0% 0% 15% Review Active Directory Network Access Control Evaluation Review Active Directory Review Active Directory Review Active Directory
incorporating the principles of least privilege and separation of duties Review Active Directory

PR.AC-5: Network integrity is protected (e.g. network segregation, Firewall, Web Filter, (NAC) 11, 12, 13, 10,000 20,000 Inconsistent Informal None None 10% 5% 0% 0% 15% Web Content Filter Project Firewall Refresh Project
network segmentation) 14

PR.AC-6: Identities are proofed and bound to credentials and asserted in Inconsistent Informal None None 10% 5% 0% 0% 15%
interactions
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-
factor, multi-factor) commensurate with the risk Inconsistent Defined None None 10% 10% 0% 0% 20%
of the transaction (e.g., individuals’ security and privacy risks and other
organizational risks)
User Awareness, (Phish Training) PCI Education Review Education Program Review Education Program Review Education Program Review Education Program
Security Policy, (Eramba GRC) General Education
AT Awareness Awareness and Training Strategic Security - Awareness and Training Security Policy 5, 17 0 0 0 0 0 AT, PS 19.0%
Security Policy, (Eramba GRC)
Security Policy, (Eramba GRC)

PR.AT-1: All users are informed and trained User Awareness, (Phish Training) 17 Repeatable Defined Informal None 20% 10% 5% 0% 35% PCI Education Review Education Program Review Education Program Review Education Program Review Education Program
General Education

PR.AT-2: Privileged users understand their roles and responsibilities Security Policy, (Eramba GRC) 5, 17 Inconsistent Informal None None 10% 5% 0% 0% 15%

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) Security Policy 17 Inconsistent Informal None None 10% 5% 0% 0% 15%
understand their roles and responsibilities

PR.AT-4: Senior executives understand their roles and responsibilities Security Policy, (Eramba GRC) 17 Inconsistent Informal None None 10% 5% 0% 0% 15%

PR.AT-5: Physical and CyberSecurity personnel understand their roles and Security Policy, (Eramba GRC) 17 Inconsistent Informal None None 10% 5% 0% 0% 15%
responsibilities
Bitlocker, Storage Encryption, Certificate Services SAN Encryption at rest Data Classification Project Encourage compliance with 100% encryption policy Enforce 100% encryption policy
TLS, Certificate Services Workstation Certificates Data Loss Prevention Evaluation
Operational Monitoring, External Monitoring 1, 2, 13, Policy to encrypt all network connections (3yr compliance)
DS Data Security Operational Security - Encryption and Data Integrity 0 0 0 0 0 CA 7.5%
Data Loss Prevention, Digital Rights Management 14

PR.DS-1: Data-at-rest is protected Bitlocker, Storage Encryption, Certificate 14 Inconsistent Defined None None 10% 10% 0% 0% 20% SAN Encryption at rest Data Classification Project
Services Workstation Certificates

PR.DS-2: Data-in-transit is protected TLS, Certificate Services 13, 14 Inconsistent Defined None None 10% 10% 0% 0% 20% Policy to encrypt all network connections (3yr compliance) Encourage compliance with 100% encryption policy Enforce 100% encryption policy

PR.DS-3: Assets are formally managed throughout removal, transfers, 1 Inconsistent None None None 10% 0% 0% 0% 10%
and disposition

PR.DS-4: Adequate capacity to ensure availability is maintained Operational Monitoring, External Monitoring None None None None 0% 0% 0% 0% 0%

PR.DS-5: Protections against data leaks are implemented Data Loss Prevention, Digital Rights 13 None None None None 0% 0% 0% 0% 0% Data Loss Prevention Evaluation
Management

PR.DS-6: Integrity checking mechanisms are used to verify software, Tripwire 2 Inconsistent None None None 10% 0% 0% 0% 10% Evaluate FIM solution Evaluate FIM solution
firmware, and information integrity

PR.DS-7: The development and testing environment(s) are separate from None None None None 0% 0% 0% 0% 0%
the production environment
PROTECT

PR.DS-8: Integrity checking mechanisms are used to verify hardware None None None None 0% 0% 0% 0% 0%
integrity
CIS Benchmarks, DISA STIGs Document Plan Review Plan Review Plan Review Plan
IT Change Control
Information Protection Backup/Restore solution 3, 4, 7, MP, PE,
IP Operational Security - Processes and Procedures 0 0 0 0 0 14.6%
Processes and Procedures Incident Response Plan, Business Continuity Plan 11, 19 SA, SC
Incident Response Plan, Business Continuity Plan
Vulnerability Management, 3rd Party
PR.IP-1: A baseline configuration of information technology/industrial
control systems is created and maintained incorporating security CIS Benchmarks, DISA STIGs 3, 7, 11 Inconsistent None Informal None 10% 0% 5% 0% 15%
principles (e.g. concept of least functionality)

PR.IP-2: A System Development Life Cycle to manage systems is Inconsistent None None None 10% 0% 0% 0% 10%
implemented

PR.IP-3: Configuration change control processes are in place IT Change Control Repeatable Informal Formal Partial 20% 5% 10% 5% 40%

PR.IP-4: Backups of information are conducted, maintained, and tested Backup/Restore solution Repeatable None Informal None 20% 0% 5% 0% 25%

PR.IP-5: Policy and regulations regarding the physical operating Inconsistent Informal None None 10% 5% 0% 0% 15%
environment for organizational assets are met

PR.IP-6: Data is destroyed according to policy Inconsistent None None None 10% 0% 0% 0% 10%

PR.IP-7: Protection processes are improved Inconsistent None None None 10% 0% 0% 0% 10% Document Plan Review Plan Review Plan Review Plan

PR.IP-8: Effectiveness of protection technologies is shared Inconsistent None None None 10% 0% 0% 0% 10%

PR.IP-9: Response plans (Incident Response and Business Continuity) and Incident Response Plan, Business Continuity
recovery plans (Incident Recovery and Disaster Recovery) are in place Plan None Informal Informal None 0% 5% 5% 0% 10%
and managed

PR.IP-10: Response and recovery plans are tested Incident Response Plan, Business Continuity 19 None None None None 0% 0% 0% 0% 0%
Plan

PR.IP-11: Cybersecurity is included in human resources practices (e.g., Inconsistent None None None 10% 0% 0% 0% 10%
deprovisioning, personnel screening)

PR.IP-12: A vulnerability management plan is developed and Vulnerability Management, 3rd Party 4 Inconsistent Informal None Partial 10% 5% 0% 5% 20%
implemented

MA Maintenance Operational Security - Asset Maintenance 5, 12 0 0 0 0 0 MA 22.5%

PR.MA-1: Maintenance and repair of organizational assets are performed Repeatable Informal Informal None 20% 5% 5% 0% 30%
and logged, with approved and controlled tools

PR.MA-2: Remote maintenance of organizational assets is approved, 5, 12 Inconsistent Informal None None 10% 5% 0% 0% 15%
logged, and performed in a manner that prevents unauthorized access
SIEM management/ rules SIEM Tuning SIEM Tuning SIEM Tuning
5, 6, 8, SIEM Tuning
Log Management, SIEM
PT Protective Technology Operational Security - Protect Assets 11, 13, 0 0 0 0 0 CM 22.0%
14, 18

PR.PT-1: Audit/log records are determined, documented, implemented, Log Management, SIEM 6 Inconsistent None None None 10% 0% 0% 0% 10% SIEM management/ rules
SIEM Tuning SIEM Tuning SIEM Tuning
and reviewed in accordance with policy SIEM Tuning

PR.PT-2: Removable media is protected and its use restricted according 8, 13, 14 None None None None 0% 0% 0% 0% 0%
to policy

PR.PT-3: The principle of least functionality is incorporated by configuring (IAM) 5, 14, 18 Inconsistent Defined None None 10% 10% 0% 0% 20%
systems to provide only essential capabilities

PR.PT-4: Communications and control networks are protected 11 Optimized Defined None None 50% 10% 0% 0% 60%

PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are

implemented to achieve resilience requirements in normal and adverse 11 Inconsistent Defined None None 10% 10% 0% 0% 20%
situations
(Vulnerability Management), (Network Analytics) Network Analytics
'Log Management, SIEM SIEM Tuning
AE Anomalies and Events Operational Security - Monitor, Analyze and Detect Events 'Log Management, SIEM 6, 12, 19 0 0 0 0 0 SI 8.0% SIEM Tuning
JSA, (GrayLog) SIEM Tuning

DE.AE-1: A baseline of network operations and expected data flows for (Vulnerability Management), (Network 12 None None None None 0% 0% 0% 0% 0% Network Analytics
users and systems is established and managed Analytics)

DE.AE-2: Detected events are analyzed to understand attack targets and 19 Inconsistent None None None 10% 0% 0% 0% 10%
methods

DE.AE-3: Event data are collected and correlated from multiple sources 'Log Management, SIEM 6 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning
and sensors

DE.AE-4: Impact of events is determined 'Log Management, SIEM 19 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

DE.AE-5: Incident alert thresholds are established JSA, (GrayLog) 19 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

'(Vulnerability Management), (Network Analytics) Passive Scanner Pilot PVS

(Network Analytics) Vulnerability Management Expansion
Security Continuous Malware Protection
CM Operational Security - Security Continuous Monitoring 4, 8, 19 0 2,000 0 0 0 10.0%
Monitoring (CASB)
Vulnerability Management

DE.CM-1: The network is monitored to detect potential cybersecurity '(Vulnerability Management), (Network 19 2,000 None None None None 0% 0% 0% 0% 0% Passive Scanner Pilot PVS
events Analytics)

DE.CM-2: The physical environment is monitored to detect potential 19 None None None None 0% 0% 0% 0% 0%
cybersecurity events

DE.CM-3: Personnel activity is monitored to detect potential (Network Analytics) 19 None None None None 0% 0% 0% 0% 0%
cybersecurity events
DETECT

DE.CM-4: Malicious code is detected Malware Protection 8, 19 Repeatable Defined Informal Partial 20% 10% 5% 5% 40%

DE.CM-5: Unauthorized mobile code is detected 8, 19 None Defined None None 0% 10% 0% 0% 10%

DE.CM-6: External service provider activity is monitored to detect (CASB) 19 None None None None 0% 0% 0% 0% 0%
potential cybersecurity events

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, 19 Inconsistent Informal None None 10% 5% 0% 0% 15%
and software is performed

DE.CM-8: Vulnerability scans are performed Vulnerability Management 4 Inconsistent Informal None None 10% 5% 0% 0% 15% Vulnerability Management Expansion

Network Passive scanner IPS/IDS Review

IPS/IDS Review IPS/IDS Review
DP Detection Processes Operational Security - Detection Processes 6 0 0 0 0 0 7.0% Network Passive scanner
IPS/IDS Review
Network Passive scanner

DE.DP-1: Roles and responsibilities for detection are well defined to 6 Inconsistent Informal None None 10% 5% 0% 0% 15% Network Passive scanner IPS/IDS Review
ensure accountability IPS/IDS Review

6 Inconsistent None None None 10% 0% 0% 0% 10% Network Passive scanner

DE.DP-2: Detection activities comply with all applicable requirements IPS/IDS Review
IPS/IDS Review

DE.DP-3: Detection processes are tested 6 None None None None 0% 0% 0% 0% 0% Network Passive scanner

DE.DP-4: Event detection information is communicated 6 Inconsistent None None None 10% 0% 0% 0% 10%

DE.DP-5: Detection processes are continuously improved 6 None None None None 0% 0% 0% 0% 0%

Build IR Plan Review IR Plan Review IR Plan Review IR Plan Review IR Plan

RP Response Planning Operational Security - Response Planning 19 0 0 0 0 0 20.0%

RS.RP-1: Response plan is executed during or after an incident 19 Inconsistent Informal Informal None 10% 5% 5% 0% 20% Build IR Plan Review IR Plan Review IR Plan Review IR Plan Review IR Plan

Tabiletop IR Tabiletop IR Tabiletop IR Tabiletop IR

CO Communications Operational Security - Communications 19 0 0 0 0 0 12.0%

RS.CO-1: Personnel know their roles and order of operations when a 19 Inconsistent Informal None None 10% 5% 0% 0% 15% Tabiletop IR Tabiletop IR Tabiletop IR Tabiletop IR
response is needed

RS.CO-2: Incidents are reported consistent with established criteria 19 Inconsistent None Informal None 10% 0% 5% 0% 15%

RS.CO-3: Information is shared consistent with response plans 19 Inconsistent None None None 10% 0% 0% 0% 10%

RS.CO-4: Coordination with stakeholders occurs consistent with response 19 Inconsistent None None None 10% 0% 0% 0% 10%
plans

RS.CO-5: Voluntary information sharing occurs with external stakeholders 19 Inconsistent None None None 10% 0% 0% 0% 10%
to achieve broader cybersecurity situational awareness

AN Analysis Operational Security - Analysis 19 40,000 0 40,000 0 40,000 13.0%

RS.AN-1: Notifications from detection systems are investigated 19 Inconsistent None None None 10% 0% 0% 0% 10%
RESPOND

RS.AN-2: The impact of the incident is understood 19 Inconsistent None None None 10% 0% 0% 0% 10%

RS.AN-3: Forensics are performed 3rd party vendor, MS-ISAC 19 40,000 40,000 40,000 Inconsistent None Informal None 10% 0% 5% 0% 15% Perform forensic tests Perform forensic tests

RS.AN-4: Incidents are categorized consistent with response plans 19 Inconsistent None Informal None 10% 0% 5% 0% 15%

RS.AN-5: Processes are established to receive, analyze and respond to

vulnerabilities disclosed to the organization from internal and external 19 Inconsistent None Informal None 10% 0% 5% 0% 15%
sources (e.g. internal testing, security bulletins, or security researchers)
RESPOND
Exception Review Exception review Exception review Exception review Exception review

MI Mitigation Operational Security - Mitigation 4, 19 0 0 0 0 0 IR 20.0%

RS.MI-1: Incidents are contained 19 Inconsistent Defined Informal None 10% 10% 5% 0% 25%

RS.MI-2: Incidents are mitigated 19 Inconsistent Informal Informal None 10% 5% 5% 0% 20%

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as 4 Inconsistent Informal None None 10% 5% 0% 0% 15% Exception Review Exception review Exception review Exception review Exception review
accepted risks

Update IR procedures Update IR procedures Update IR procedures Update IR procedures Update IR procedures

IM-D Improvements Operational Security - Improvements 19 0 0 0 0 0 0.0%

RS.IM-1: Response plans incorporate lessons learned 19 None None None None 0% 0% 0% 0% 0%

RS.IM-2: Response strategies are updated 19 None None None None 0% 0% 0% 0% 0% Update IR procedures Update IR procedures Update IR procedures Update IR procedures Update IR procedures

COOP Project

RP Recovery Planning Operational Security - Recovery Planning 19 0 0 0 0 0 CP 0.0%

RC.RP-1: Recovery plan is executed during or after a cybersecurity 19 None None None None 0% 0% 0% 0% 0% COOP Project
incident

IM-R Improvements Operational Security - Improvements 19 5,000 0 0 0 0 0.0%

RC.IM-1: Recovery plans incorporate lessons learned 19 None None None None 0% 0% 0% 0% 0%
RECOVER

RC.IM-2: Recovery strategies are updated 19 5,000 None None None None 0% 0% 0% 0% 0%

CO Communications Operational Security - Communications 19 0 0 0 0 0 10.0%

RC.CO-1: Public relations are managed 4 19 Inconsistent None None None 10% 0% 0% 0% 10%

RC.CO-2: Reputation is repaired after an incident 3 19 Inconsistent None None None 10% 0% 0% 0% 10%

RC.CO-3: Recovery activities are communicated to internal and external 2 19 Inconsistent None None None 10% 0% 0% 0% 10%
stakeholders as well as executive and management teams

Rev. 11.0 Proposed Funded Current State Progress Areas

2/6/2017 Unfunded Future State Challenge Areas
Process Value Policy Level Value

None 0% None 0%

Inconsistent 10% Informal 5%

Repeatable 20% Defined 10%

Standardized 30% Audited 15%

Measured 40% Embedded 20%

Optimized 50%
Documentation Level Value Automation Level Value

None 0% None 0%

Informal 5% Partial 5%

Formal 10% Full 10%

Metrics and Reporting 15% Unavailable 10%

Improvement Process 20%

Likelihood
Adversary is almost certain to initiate attack.
Accident or error is almost certain; occurs more than 100
9-10 Very High
times a year.
Almost certain to have adverse impacts.

Adversary is highly likely to initiate attack.

Accident or error is highly likely; occurs between 10-100 times
7-8 High
a year.
Highly likely to have adverse impacts.

Adversary is somewhat likely to initiate attack.

Accident or error is somewhat likely to occur; between 1-10
4-6 Moderate
times a year.
Somewhat likely to have adverse impacts.

Adversary is unlikely to initiate attack.

Accident or error is unlikely to occur; less than once a year,
2-3 Low
but more than once every 10.
Unlikely to have adverse impacts.

Adversary is highly unlikely to initiate attack.

Accident or error is highly unlikely to occur; less than once
0-1 Very Low
every 10 years.
Highly unlikely to have adverse impacts.

Priority

Critical control or foundational to a critical control; lack of this

9-10 Very High control would have multiple severe or catastrophic adverse
effects on the organization

Very important or foundational to a very important control;

7-8 High lack of this control would have severe or catastrophic adverse
effects on the organization

Control is important or foundational to an important control;

4-6 Moderate lack of this control would have serious adverse effects on the
organization

Control is of low importance or foundational to a low

2-3 Low importance control; lack of this control would have limited
adverse effects on the organization

Control is not a priority nor a foundational control; lack of this

0-1 Very Low control would have neglible adverse effects on the
organization
Impact

Multiple severe or catastrophic adverse effects on the

organization.

Severe or catastrophic adverse effects on the organization.

Serious adverse effects on the organization.

Limited adverse effects on the organization.

Negligible adverse effects on the organization.

Risk Level

Event could be expected to have multiple severe or

catastrophic adverse effects.

Event could be expected to have a severe or catastrophic

adverse effect.

Event could be expected to have a serious adverse effect.

Event could be expected to have a limited adverse effect.

Event could be expected to have a negligble adverse effect.