NIST CSF | Compliance | Fluid Attacks Help

NIST CSF

logo

Summary

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector. The version used in this section NIST CSF v2.0.

Definitions

Definition Requirements
ID_AM-03. Representations of the organization’s authorized network communication and internal and external network data flows are maintained 337. Make critical logic flows thread safe
ID_AM-04. Inventories of services provided by suppliers are maintained 330. Verify Subresource Integrity
PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization 025. Manage concurrent sessions
035. Manage privilege modifications
122. Validate credential ownership
142. Change system default credentials
143. Unique access credentials
380. Define a password management tool
PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions 033. Restrict administrative access
PR_AA-03. Users, services, and hardware are authenticated 225. Proper authentication responses
229. Request access credentials
264. Request authentication
362. Assign MFA mechanisms to a single account
PR_AA-04. Identity assertions are protected, conveyed, and verified 096. Set user's required privileges
PR_AA-05. Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties 186. Use the principle of least privilege
PR_AA-06. Physical access to assets is managed, monitored, and enforced commensurate with risk 257. Access based on user credentials
266. Disable insecure functionalities
273. Define a fixed security suite
PR_DS-01. The confidentiality, integrity, and availability of data-at-rest are protected 176. Restrict system objects
PR_DS-02. The confidentiality, integrity, and availability of data-in-transit are protected 181. Transmit data using secure protocols
PR_DS-10. The confidentiality, integrity, and availability of data-in-use are protected 062. Define standard configurations
PR_DS-11. Backups of data are created, protected, maintained, and tested 185. Encrypt sensitive information
PR_PS-02. Software is maintained, replaced, and removed commensurate with risk 262. Verify third-party components
PR_PS-04. Log records are generated and made available for continuous monitoring 377. Store logs based on valid regulation
378. Use of log management system
PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle 062. Define standard configurations
158. Use a secure programming language
161. Define secure default options
PR_IR-01. Networks and environments are protected from unauthorized logical access and usage 259. Segment the organization network
341. Use the principle of deny by default
DE_CM-01. Networks and network services are monitored to find potentially adverse events 376. Register severity level
DE_CM-03. Personnel activity and technology usage are monitored to find potentially adverse events 075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
DE_CM-06. External service provider activities and services are monitored to find potentially adverse events 262. Verify third-party components
DE_AE-02. Potentially adverse events are analyzed to better understand associated activities 079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level
RS_MA-01. The incident response plan is executed in coordination with relevant third parties once an incident is declared 225. Proper authentication responses
RS_AN-07. Incident data and metadata are collected, and their integrity and provenance are preserved 046. Manage the integrity of critical files
080. Prevent log modification
377. Store logs based on valid regulation
RC_RP-01. The recovery portion of the incident response plan is executed once initiated from the incident response process 238. Establish safe recovery
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.