SecFrame Explorer
3/3
// Level 3 · Controls

PROTECT

NIST CSF 2.0 PROTECT function — categories and subcategories.

PR.AAMedium

Identity Management, Authentication, and Access Control

Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access

PR.AA-01Medium

PR.AA-01

Identities and credentials for authorized users, services, and hardware are managed by the organization

PR.AA-02Medium

PR.AA-02

Identities are proofed and bound to credentials based on the context of interactions

PR.AA-03Medium

PR.AA-03

Users, services, and hardware are authenticated

PR.AA-04Medium

PR.AA-04

Identity assertions are protected, conveyed, and verified

PR.AA-05Medium

PR.AA-05

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

PR.AA-06Medium

PR.AA-06

Physical access to assets is managed, monitored, and enforced commensurate with risk

PR.ACMedium

Identity Management, Authentication and Access Control

Identity Management, Authentication and Access Control

PR.AC-01Medium

PR.AC-01

Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

PR.AC-02Medium

PR.AC-02

Physical access to assets is managed and protected

PR.AC-03Medium

PR.AC-03

Remote access is managed

PR.AC-04Medium

PR.AC-04

Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

PR.AC-05Medium

PR.AC-05

Network integrity is protected (e.g., network segregation, network segmentation)

PR.AC-06Medium

PR.AC-06

Identities are proofed and bound to credentials and asserted in interactions

PR.AC-07Medium

PR.AC-07

Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

PR.ATMedium

Awareness and Training

The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks

PR.AT-01Medium

PR.AT-01

Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind

PR.AT-02Medium

PR.AT-02

Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind

PR.AT-03Medium

PR.AT-03

Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

PR.AT-04Medium

PR.AT-04

Senior executives understand their roles and responsibilities

PR.AT-05Medium

PR.AT-05

Physical and cybersecurity personnel understand their roles and responsibilities

PR.DSMedium

Data Security

Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information

PR.DS-01Medium

PR.DS-01

The confidentiality, integrity, and availability of data-at-rest are protected

PR.DS-02Medium

PR.DS-02

The confidentiality, integrity, and availability of data-in-transit are protected

PR.DS-03Medium

PR.DS-03

Assets are formally managed throughout removal, transfers, and disposition

PR.DS-04Medium

PR.DS-04

Adequate capacity to ensure availability is maintained

PR.DS-05Medium

PR.DS-05

Protections against data leaks are implemented

PR.DS-06Medium

PR.DS-06

Integrity checking mechanisms are used to verify software, firmware, and information integrity

PR.DS-07Medium

PR.DS-07

The development and testing environment(s) are separate from the production environment

PR.DS-08Medium

PR.DS-08

Integrity checking mechanisms are used to verify hardware integrity

PR.DS-10Medium

PR.DS-10

The confidentiality, integrity, and availability of data-in-use are protected

PR.DS-11Medium

PR.DS-11

Backups of data are created, protected, maintained, and tested

PR.IPMedium

Information Protection Processes and Procedures

Information Protection Processes and Procedures

PR.IP-01Medium

PR.IP-01

A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

PR.IP-02Medium

PR.IP-02

A System Development Life Cycle to manage systems is implemented

PR.IP-03Medium

PR.IP-03

Configuration change control processes are in place

PR.IP-04Medium

PR.IP-04

Backups of information are conducted, maintained, and tested

PR.IP-05Medium

PR.IP-05

Policy and regulations regarding the physical operating environment for organizational assets are met

PR.IP-06Medium

PR.IP-06

Data is destroyed according to policy

PR.IP-07Medium

PR.IP-07

Protection processes are improved

PR.IP-08Medium

PR.IP-08

Effectiveness of protection technologies is shared

PR.IP-09Medium

PR.IP-09

Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

PR.IP-10Medium

PR.IP-10

Response and recovery plans are tested

PR.IP-11Medium

PR.IP-11

Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

PR.IP-12Medium

PR.IP-12

A vulnerability management plan is developed and implemented

PR.IRMedium

Technology Infrastructure Resilience

Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience

PR.IR-01Medium

PR.IR-01

Networks and environments are protected from unauthorized logical access and usage

PR.IR-02Medium

PR.IR-02

The organization's technology assets are protected from environmental threats

PR.IR-03Medium

PR.IR-03

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations

PR.IR-04Medium

PR.IR-04

Adequate resource capacity to ensure availability is maintained

PR.MAMedium

Maintenance

Maintenance

PR.MA-01Medium

PR.MA-01

Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools

PR.MA-02Medium

PR.MA-02

Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

PR.PSMedium

Platform Security

The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability

PR.PS-01Medium

PR.PS-01

Configuration management practices are established and applied

PR.PS-02Medium

PR.PS-02

Software is maintained, replaced, and removed commensurate with risk

PR.PS-03Medium

PR.PS-03

Hardware is maintained, replaced, and removed commensurate with risk

PR.PS-04Medium

PR.PS-04

Log records are generated and made available for continuous monitoring

PR.PS-05Medium

PR.PS-05

Installation and execution of unauthorized software are prevented

PR.PS-06Medium

PR.PS-06

Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

PR.PTMedium

Protective Technology

Protective Technology

PR.PT-01Medium

PR.PT-01

Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

PR.PT-02Medium

PR.PT-02

Removable media is protected and its use restricted according to policy

PR.PT-03Medium

PR.PT-03

The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

PR.PT-04Medium

PR.PT-04

Communications and control networks are protected

PR.PT-05Medium

PR.PT-05

Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations