License for Use

This work is licensed under an International Public License (link can be found at https://creativeco

To further clarify the license related to the content of CIS Controls®, Luis Alberto Alviarez, ISO E
S, is authorized to copy and redistribute the content as a framework for use, inside and outside o
commercial purposes, provided (i) appropriate credit is given to CIS, and (ii) a link is provided. Ad
SOC 2 compliance, QualIT will not be able to distribute the materials set forth in this matrix. User
(http://www.cisecurity.org/controls/).
d at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

berto Alviarez, ISO External Auditor under registration NTC 9000;27000-CL1127622-

inside and outside of your organization, you solely grant QualIT rights, for non-
a link is provided. Additionally, if you remix, transform, or build upon CIS controls and
h in this matrix. Users of the CIS controls framework may also consult
 Mapping Methodology
This page describes the methodology used to map CIS critical security controls to the AICPA 2022 Trust
Reference link for SOC2: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryse

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one control will contribute
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation w
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are no
The relationships can be further analyzed to understand how similar or different the two defensive mitigat
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the C
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitig
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF P
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard.
relationship can often be "Subset."
The mappings have been carried out based on the source of CIS CONSTROLS V8 and AICPA requested
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools

https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups
and mappings to multiple frameworks.

https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts
and voluneers!
https://workbench.cisecurity.org/dashboard
 Security
CIS Control CIS Safeguard Asset Type
Function

1 1.1 Devices Identify

1 1.1 Devices Identify

1 1.2 Devices Respond

1 1.3 Devices Detect

1 1.4 Devices Identify

1 1.5 Devices Detect

2 2.1 Applications Identify

2 2.1 Applications Identify

2 2.2 Applications Identify

2 2.3 Applications Respond

2 2.4 Applications Detect

2 2.5 Applications Protect

2 2.6 Applications Protect

2 2.7 Applications Protect

3
3 3.1 Data Identify

3 3.2 Data Identify

3 3.2 Data Identify

3 3.2 Data Identify

3 3.3 Data Protect

3 3.3 Data Protect

3 3.4 Data Protect

3 3.5 Data Protect

3 3.5 Data Protect

3 3.6 Devices Protect

3 3.7 Data Identify

3 3.8 Data Identify

3 3.9 Data Protect

3 3.10 Data Protect

3 3.10 Data Protect

3 3.11 Data Protect

3 3.12 Network Protect

3 3.13 Data Protect

3 3.14 Data Detect

4 4.1 Applications Protect

4 4.1 Applications Protect

4 4.2 Network Protect

4 4.3 Users Protect

4 4.4 Devices Protect

4 4.5 Devices Protect

4 4.6 Network Protect

4 4.7 Users Protect

4 4.8 Devices Protect

4 4.8 Devices Protect

4 4.9 Devices Protect

4 4.10 Devices Respond

4 4.11 Devices Protect

4 4.12 Devices Protect

5 5.1 Users Identify

5 5.1 Users Identify

5 5.1 Users Identify

5 5.2 Users Protect

5 5.3 Users Respond

5 5.4 Users Protect

5 5.4 Users Protect

5 5.5 Users Identify

5 5.6 Users Protect

6 6.1 Users Protect

6 6.2 Users Protect

6 6.2 Users Protect

6 6.3 Users Protect

6 6.3 Users Protect

6 6.4 Users Protect

6 6.4 Users Protect

6 6.5 Users Protect

6 6.6 Users Identify

6 6.6 Users Identify

6 6.6 Users Identify

6 6.7 Users Protect

6 6.8 Data Protect

6 6.8 Data Protect

7 7.1 Applications Protect

7 7.2 Applications Respond

7 7.2 Applications Respond

7 7.2 Applications Respond

7 7.3 Applications Protect

7 7.4 Applications Protect

7 7.5 Applications Identify

7 7.5 Applications Identify

7 7.6 Applications Identify

7 7.6 Applications Identify

7 7.6 Applications Identify

7 7.7 Applications Respond

8

8 8.1 Network Protect

8 8.2 Network Detect

8 8.3 Network Protect

8 8.4 Network Protect

8 8.4 Network Protect

8 8.5 Network Detect

8 8.5 Network Detect

8 8.6 Network Detect

8 8.7 Network Detect

8 8.8 Devices Detect

8 8.8 Devices Detect

8 8.9 Network Detect

8 8.10 Network Protect
8 8.11 Network Detect

8 8.11 Network Detect

8 8.12 Data Detect

9 9.1 Applications Protect

9 9.2 Network Protect

9 9.3 Network Protect

9 9.3 Network Protect

9 9.4 Applications Protect

9 9.5 Network Protect

9 9.6 Network Protect

9 9.7 Network Protect

10

10 10.1 Devices Protect

10 10.2 Devices Protect

10 10.3 Devices Protect

10 10.4 Devices Detect

10 10.5 Devices Protect

10 10.6 Devices Protect

10 10.7 Devices Detect

11

11 11.1 Data Recover

11 11.2 Data Recover

11 11.3 Data Protect

11 11.3 Data Protect

11 11.3 Data Protect

11 11.4 Data Recover

11 11.5 Data Recover

11 11.5 Data Recover

12

12 12.1 Network Protect

12 12.2 Network Protect

12 12.3 Network Protect

12 12.4 Network Identify

12 12.5 Network Protect

12 12.6 Network Protect

12 12.7 Devices Protect

12 12.8 Devices Protect

13

13 13.1 Network Detect

13 13.2 Devices Detect

13 13.3 Network Detect

13 13.3 Network Detect

13 13.4 Network Protect

13 13.4 Network Protect

13 13.5 Devices Protect

13 13.6 Network Detect

13 13.7 Devices Protect

13 13.8 Network Protect

13 13.8 Network Protect

13 13.9 Devices Protect

13 13.10 Network Protect

13 13.10 Network Protect

13 13.11 Network Detect

13 13.11 Network Detect

14

14 14.1 N/A Protect

14 14.1 N/A Protect

14 14.1 N/A Protect

14 14.2 N/A Protect

14 14.3 N/A Protect

14 14.4 N/A Protect

14 14.5 N/A Protect

14 14.6 N/A Protect

14 14.7 N/A Protect

14 14.8 N/A Protect

14 14.9 N/A Protect

15

15 15.1 N/A Identify

15 15.2 N/A Identify

15 15.2 N/A Identify

15 15.2 N/A Identify

15 15.3 N/A Identify

15 15.4 N/A Protect

15 15.5 N/A Identify

15 15.6 Data Detect

15 15.7 Data Protect

16

16 16.1 Applications Protect

16 16.2 Applications Protect

16 16.3 Applications Protect

16 16.4 Applications Protect

16 16.5 Applications Protect

16 16.6 Applications Protect

16 16.7 Applications Protect

16 16.8 Applications Protect

16 16.9 Applications Protect

16 16.10 Applications Protect

16 16.11 Applications Protect

16 16.12 Applications Protect

16 16.13 Applications Protect

16 16.14 Applications Protect

17
17 17.1 N/A Respond

17 17.2 N/A Respond

17 17.3 N/A Respond

17 17.4 N/A Respond

17 17.4 N/A Respond

17 17.4 N/A Respond

17 17.5 N/A Respond

17 17.6 N/A Respond

17 17.7 N/A Recover

17 17.8 N/A Recover

17 17.9 N/A Recover

18

18 18.1 N/A Identify

18 18.2 Network Identify

18 18.3 Network Protect

18 18.4 Network Protect

18 18.5 N/A Identify

Title

Inventory and Control of

Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including
mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected
infrastructure physically, virtually, remotely, and those within cloud environments, to accurately k
totality of assets that need to be monitored and protected within the enterprise. This will also supp
identifying unauthorized and unmanaged assets to remove or remediate.

Establish and Maintain

Detailed Enterprise Asset
Inventory

Establish and Maintain

Detailed Enterprise Asset
Inventory

Address Unauthorized Assets

Utilize an Active Discovery

Tool
Use Dynamic Host
Configuration Protocol
(DHCP) Logging to Update
Enterprise Asset Inventory
Use a Passive Asset
Discovery Tool

Inventory and Control of

Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications)
network so that only authorized software is installed and can execute, and that unauthorized and
software is found and prevented from installation or execution.

Establish and Maintain a

Software Inventory

Establish and Maintain a

Software Inventory

Ensure Authorized Software is

Currently Supported

Address Unauthorized
Software
Utilize Automated Software
Inventory Tools

Allowlist Authorized Software

Allowlist Authorized Libraries

Allowlist Authorized Scripts

Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispos

Establish and Maintain a Data

Management Process

Establish and Maintain a Data

Inventory

Establish and Maintain a Data

Inventory

Establish and Maintain a Data

Inventory

Configure Data Access

Control Lists

Configure Data Access

Control Lists

Enforce Data Retention

Securely Dispose of Data

Securely Dispose of Data

Encrypt Data on End-User

Devices

Establish and Maintain a Data

Classification Scheme
Document Data Flows

Encrypt Data on Removable

Media

Encrypt Sensitive Data in

Transit

Encrypt Sensitive Data in

Transit

Encrypt Sensitive Data at Rest

Segment Data Processing and

Storage Based on Sensitivity

Deploy a Data Loss

Prevention Solution

Log Sensitive Data Access

Secure Configuration of
Enterprise Assets and
Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including
and mobile; network devices; non-computing/IoT devices; and servers) and software (operating s
applications).

Establish and Maintain a

Secure Configuration Process
Establish and Maintain a
Secure Configuration Process

Establish and Maintain a

Secure Configuration Process
for Network Infrastructure

Configure Automatic Session

Locking on Enterprise Assets

Implement and Manage a

Firewall on Servers

Implement and Manage a

Firewall on End-User Devices

Securely Manage Enterprise

Assets and Software

Manage Default Accounts on

Enterprise Assets and
Software

Uninstall or Disable
Unnecessary Services on
Enterprise Assets and
Software
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and
Software

Configure Trusted DNS

Servers on Enterprise Assets

Enforce Automatic Device

Lockout on Portable End-User
Devices
Enforce Remote Wipe
Capability on Portable End-
User Devices

Separate Enterprise
Workspaces on Mobile End-
User Devices

Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inc
administrator accounts, as well as service accounts, to enterprise assets and software.

Establish and Maintain an

Inventory of Accounts

Establish and Maintain an

Inventory of Accounts

Establish and Maintain an

Inventory of Accounts

Use Unique Passwords

Disable Dormant Accounts

Restrict Administrator
Privileges to Dedicated
Administrator Accounts

Restrict Administrator
Privileges to Dedicated
Administrator Accounts

Establish and Maintain an

Inventory of Service Accounts
Centralize Account
Management

Access Control
Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges
administrator, and service accounts for enterprise assets and software.

Establish an Access Granting

Process

Establish an Access Revoking

Process

Establish an Access Revoking

Process

Require MFA for Externally-

Exposed Applications

Require MFA for Externally-

Exposed Applications

Require MFA for Remote

Network Access

Require MFA for Remote

Network Access

Require MFA for

Administrative Access

Establish and Maintain an

Inventory of Authentication
and Authorization Systems

Establish and Maintain an

Inventory of Authentication
and Authorization Systems
Establish and Maintain an
Inventory of Authentication
and Authorization Systems

Centralize Access Control

Define and Maintain Role-

Based Access Control

Define and Maintain Role-

Based Access Control

Continuous Vulnerability
Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monit
and private industry sources for new threat and vulnerability information.

Establish and Maintain a

Vulnerability Management
Process

Establish and Maintain a

Remediation Process

Establish and Maintain a

Remediation Process

Establish and Maintain a

Remediation Process

Perform Automated Operating

System Patch Management

Perform Automated
Application Patch
Management
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recove
attack.

Establish and Maintain an

Audit Log Management
Process

Collect Audit Logs

Ensure Adequate Audit Log

Storage

Standardize Time
Synchronization

Standardize Time
Synchronization

Collect Detailed Audit Logs

Collect Detailed Audit Logs

Collect DNS Query Audit Logs

Collect URL Request Audit

Logs

Collect Command-Line Audit

Logs

Collect Command-Line Audit

Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews

Conduct Audit Log Reviews

Collect Service Provider Logs

Email and Web Browser

Protections
Improve protections and detections of threats from email and web vectors, as these are opportun
attackers to manipulate human behavior through direct engagement.
Ensure Use of Only Fully
Supported Browsers and
Email Clients

Use DNS Filtering Services

Maintain and Enforce

Network-Based URL Filters

Maintain and Enforce

Network-Based URL Filters

Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC

Block Unnecessary File Types

Deploy and Maintain Email

Server Anti-Malware
Protections
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scrip
enterprise assets.
Deploy and Maintain Anti-
Malware Software
Configure Automatic Anti-
Malware Signature Updates

Disable Autorun and Autoplay

for Removable Media

Configure Automatic Anti-

Malware Scanning of
Removable Media

Enable Anti-Exploitation
Features

Centrally Manage Anti-

Malware Software
Use Behavior-Based Anti-
Malware Software
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to
incident and trusted state.

Establish and Maintain a Data

Recovery Process

Perform Automated Backups

Protect Recovery Data

Protect Recovery Data

Protect Recovery Data

Establish and Maintain an

Isolated Instance of Recovery
Data

Test Data Recovery

Test Data Recovery

Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to pre
attackers from exploiting vulnerable network services and access points.

Ensure Network Infrastructure

is Up-to-Date

Establish and Maintain a

Secure Network Architecture

Securely Manage Network

Infrastructure

Establish and Maintain

Architecture Diagram(s)

Centralize Network
Authentication, Authorization,
and Auditing (AAA)

Use of Secure Network

Management and
Communication Protocols

Ensure Remote Devices

Utilize a VPN and are
Connecting to an Enterprise’s
AAA Infrastructure

Establish and Maintain

Dedicated Computing
Resources for All
Administrative Work
Network Monitoring and
Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and
against security threats across the enterprise’s network infrastructure and user base.

Centralize Security Event

Alerting

Deploy a Host-Based Intrusion

Detection Solution

Deploy a Network Intrusion

Detection Solution

Deploy a Network Intrusion

Detection Solution

Perform Traffic Filtering

Between Network Segments

Perform Traffic Filtering

Between Network Segments

Manage Access Control for

Remote Assets

Collect Network Traffic Flow

Logs

Deploy a Host-Based Intrusion

Prevention Solution

Deploy a Network Intrusion

Prevention Solution

Deploy a Network Intrusion

Prevention Solution
Deploy Port-Level Access
Control

Perform Application Layer

Filtering

Perform Application Layer

Filtering

Tune Security Event Alerting

Thresholds

Tune Security Event Alerting

Thresholds

Security Awareness and

Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce
security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Establish and Maintain a

Security Awareness Program

Establish and Maintain a

Security Awareness Program

Establish and Maintain a

Security Awareness Program

Train Workforce Members to

Recognize Social Engineering
Attacks

Train Workforce Members on

Authentication Best Practices
Train Workforce on Data
Handling Best Practices

Train Workforce Members on

Causes of Unintentional Data
Exposure
Train Workforce Members on
Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
Enterprise Assets are Missing
Security Updates

Train Workforce on the

Dangers of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific
Security Awareness and Skills
Training

Service Provider
Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
enterprise’s critical IT platforms or processes, to ensure these providers are protecting those plat
data appropriately.

Establish and Maintain an

Inventory of Service Providers

Establish and Maintain a

Service Provider Management
Policy

Establish and Maintain a

Service Provider Management
Policy
Establish and Maintain a
Service Provider Management
Policy

Classify Service Providers

Ensure Service Provider

Contracts Include Security
Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission
Service Providers

Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, det
remediate security weaknesses before they can impact the enterprise.

Establish and Maintain a

Secure Application
Development Process
Establish and Maintain a
Process to Accept and
Address Software
Vulnerabilities

Perform Root Cause Analysis

on Security Vulnerabilities

Establish and Manage an

Inventory of Third-Party
Software Components

Use Up-to-Date and Trusted

Third-Party Software
Components

Establish and Maintain a

Severity Rating System and
Process for Application
Vulnerabilities

Use Standard Hardening

Configuration Templates for
Application Infrastructure

Separate Production and Non-

Production Systems
Train Developers in
Application Security Concepts
and Secure Coding

Apply Secure Design

Principles in Application
Architectures

Leverage Vetted Modules or

Services for Application
Security Components

Implement Code-Level
Security Checks

Conduct Application
Penetration Testing

Conduct Threat Modeling

Incident Response
Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans
procedures, defined roles, training, and communications) to prepare, detect, and quickly respond
Designate Personnel to
Manage Incident Handling

Establish and Maintain

Contact Information for
Reporting Security Incidents

Establish and Maintain an

Enterprise Process for
Reporting Incidents

Establish and Maintain an

Incident Response Process

Establish and Maintain an

Incident Response Process

Establish and Maintain an

Incident Response Process

Assign Key Roles and

Responsibilities

Define Mechanisms for

Communicating During
Incident Response

Conduct Routine Incident

Response Exercises

Conduct Post-Incident
Reviews
Establish and Maintain
Security Incident Thresholds

Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weak
controls (people, processes, and technology), and simulating the objectives and actions of an atta

Establish and Maintain a

Penetration Testing Program

Perform Periodic External

Penetration Tests

Remediate Penetration Test

Findings

Validate Security Measures

Perform Periodic Internal
Penetration Tests
 Description

ventory, track, and correct) all enterprise assets (end-user devices, including portable and
vices; non-computing/Internet of Things (IoT) devices; and servers) connected to the
cally, virtually, remotely, and those within cloud environments, to accurately know the
at need to be monitored and protected within the enterprise. This will also support
rized and unmanaged assets to remove or remediate.

Establish and maintain an accurate, detailed, and up-to-date inventory of all

enterprise assets with the potential to store or process data, to include: end-user
devices (including portable and mobile), network devices, non-computing/IoT devices,
and servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-
annually, or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all

enterprise assets with the potential to store or process data, to include: end-user
devices (including portable and mobile), network devices, non-computing/IoT devices,
and servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-
annually, or more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s
network. Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address
management tools to update the enterprise’s asset inventory. Review and use logs to
update the enterprise’s asset inventory weekly, or more frequently.
 Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.

ventory, track, and correct) all software (operating systems and applications) on the
y authorized software is installed and can execute, and that unauthorized and unmanaged
nd prevented from installation or execution.

Establish and maintain a detailed inventory of all licensed software installed on

enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.
Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.

Ensure that only currently supported software is designated as authorized in the

software inventory for enterprise assets. If software is unsupported, yet necessary for
the fulfillment of the enterprise’s mission, document an exception detailing mitigating
controls and residual risk acceptance. For any unsupported software without an
exception documentation, designate as unauthorized. Review the software list to
verify software support at least monthly, or more frequently.

Ensure that unauthorized software is either removed from use on enterprise assets or
receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.

Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.

Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
and technical controls to identify, classify, securely handle, retain, and dispose of data.

Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.

Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.

Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data
access control lists, also known as access permissions, to local and remote file
systems, databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data
access control lists, also known as access permissions, to local and remote file
systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example

implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-
crypt.

Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
 Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.

Log sensitive data access, including modification and disposal.

ain the secure configuration of enterprise assets (end-user devices, including portable
k devices; non-computing/IoT devices; and servers) and software (operating systems and

Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a third-party
firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user
devices, with a default-deny rule that drops all traffic except those services and ports
that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include
managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.

Manage default accounts on enterprise assets and software, such as root,

administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations

include: configuring assets to use enterprise-controlled DNS servers and/or reputable
externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and
smartphones, no more than 10 failed authentication attempts. Example
implementations include Microsoft® InTune Device Lock and Apple® Configuration
Profile maxFailedAttempts.
 Remotely wipe enterprise data from enterprise-owned portable end-user devices
when deemed appropriate such as lost or stolen devices, or when an individual no
longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile
or Android™ Work Profile to separate enterprise applications and data from personal
applications and data.

tools to assign and manage authorization to credentials for user accounts, including
nts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule
at a minimum quarterly, or more frequently.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule
at a minimum quarterly, or more frequently.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule
at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation
includes, at a minimum, an 8-character password for accounts using MFA and a 14-
character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.

Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.

Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a

minimum, must contain department owner, review date, and purpose. Perform
service account reviews to validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
 Centralize account management through a directory or identity service.

tools to create, assign, manage, and revoke access credentials and privileges for user,
ervice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to

enterprise assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to

enterprise assets, through disabling accounts immediately upon termination, rights
revocation, or role change of a user. Disabling accounts, instead of deleting accounts,
may be necessary to preserve audit trails.
Establish and follow a process, preferably automated, for revoking access to
enterprise assets, through disabling accounts immediately upon termination, rights
revocation, or role change of a user. Disabling accounts, instead of deleting accounts,
may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all
enterprise assets, whether managed on-site or through a third-party provider.

Establish and maintain an inventory of the enterprise’s authentication and

authorization systems, including those hosted on-site or at a remote service provider.
Review and update the inventory, at a minimum, annually, or more frequently.

Establish and maintain an inventory of the enterprise’s authentication and

authorization systems, including those hosted on-site or at a remote service provider.
Review and update the inventory, at a minimum, annually, or more frequently.
 Establish and maintain an inventory of the enterprise’s authentication and
authorization systems, including those hosted on-site or at a remote service provider.
Review and update the inventory, at a minimum, annually, or more frequently.

Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Define and maintain role-based access control, through determining and
documenting the access rights necessary for each role within the enterprise to
successfully carry out its assigned duties. Perform access control reviews of
enterprise assets to validate that all privileges are authorized, on a recurring schedule
at a minimum annually, or more frequently.
Define and maintain role-based access control, through determining and
documenting the access rights necessary for each role within the enterprise to
successfully carry out its assigned duties. Perform access control reviews of
enterprise assets to validate that all privileges are authorized, on a recurring schedule
at a minimum annually, or more frequently.

ontinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
der to remediate, and minimize, the window of opportunity for attackers. Monitor public
sources for new threat and vulnerability information.

Establish and maintain a documented vulnerability management process for

enterprise assets. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a

remediation process, with monthly, or more frequent, reviews.

Establish and maintain a risk-based remediation strategy documented in a

remediation process, with monthly, or more frequent, reviews.

Establish and maintain a risk-based remediation strategy documented in a

remediation process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.
 Perform automated vulnerability scans of internal enterprise assets on a quarterly, or
more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or
more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using

a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets using

a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets using

a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a

monthly, or more frequent, basis, based on the remediation process.

w, and retain audit logs of events that could help detect, understand, or recover from an

Establish and maintain an audit log management process that defines the
enterprise’s logging requirements. At a minimum, address the collection, review, and
retention of audit logs for enterprise assets. Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.

Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources

across enterprise assets, where supported.

Standardize time synchronization. Configure at least two synchronized time sources

across enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data.
Include event source, date, username, timestamp, source addresses, destination
addresses, and other useful elements that could assist in a forensic investigation.

Configure detailed audit logging for enterprise assets containing sensitive data.
Include event source, date, username, timestamp, source addresses, destination
addresses, and other useful elements that could assist in a forensic investigation.
 Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Collect URL request audit logs on enterprise assets, where appropriate and
supported.

Collect command-line audit logs. Example implementations include collecting audit

logs from PowerShell®, BASH™, and remote administrative terminals.

Collect command-line audit logs. Example implementations include collecting audit

logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include

collecting authentication and authorization events, data creation and disposal events,
and user management events.

s and detections of threats from email and web vectors, as these are opportunities for
late human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided
through the vendor.

Use DNS filtering services on all enterprise assets to block access to known
malicious domains.

Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example
implementations include category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all enterprise assets.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example
implementations include category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.
 To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment

scanning and/or sandboxing.

he installation, spread, and execution of malicious applications, code, or scripts on

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible,

such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

ain data recovery practices sufficient to restore in-scope enterprise assets to a pre-
state.
Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data.
Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.

Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
 Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.

Establish and maintain an isolated instance of recovery data. Example

implementations include, version controlling backup destinations through offline,
cloud, or off-site systems or services.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope

enterprise assets.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope

enterprise assets.

nt, and actively manage (track, report, correct) network devices, in order to prevent
oiting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported
network-as-a-service (NaaS) offerings. Review software versions monthly, or more
frequently, to verify software support.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-

controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication

services prior to accessing enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically

separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.
and tooling to establish and maintain comprehensive network monitoring and defense
eats across the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where

appropriate and/or supported.

Deploy a network intrusion detection solution on enterprise assets, where

appropriate. Example implementations include the use of a Network Intrusion
Detection System (NIDS) or equivalent cloud service provider (CSP) service.

Deploy a network intrusion detection solution on enterprise assets, where

appropriate. Example implementations include the use of a Network Intrusion
Detection System (NIDS) or equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources.

Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.

Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where

appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.

Deploy a network intrusion prevention solution, where appropriate. Example

implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.
 Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.

Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.

Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

Tune security event alerting thresholds monthly, or more frequently.

ain a security awareness program to influence behavior among the workforce to be

and properly skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing,

pre-texting, and tailgating.

Train workforce members on authentication best practices. Example topics include

MFA, password composition, and credential management.
 Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.
Example topics include mis-delivery of sensitive data, losing a portable end-user
device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to

report such an incident.

Train workforce to understand how to verify and report out-of-date software patches
or any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data
over, insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.

Conduct role-specific security awareness and skills training. Example

implementations include secure system administration courses for IT professionals,
(OWASP® Top 10 vulnerability awareness and prevention training for web application
developers, and advanced social engineering awareness training for high-profile
roles.

o evaluate service providers who hold sensitive data, or are responsible for an
IT platforms or processes, to ensure these providers are protecting those platforms and

Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise
contact for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and
decommissioning of service providers. Review and update the policy annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and
decommissioning of service providers. Review and update the policy annually, or
when significant enterprise changes occur that could impact this Safeguard.
 Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and
decommissioning of service providers. Review and update the policy annually, or
when significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could
impact this Safeguard.

Ensure service provider contracts include security requirements. Example

requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider

management policy. Assessment scope may vary based on classification(s), and may
include review of standardized assessment reports, such as Service Organization
Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC),
customized questionnaires, or other appropriately rigorous processes. Reassess
service providers annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider

management policy. Monitoring may include periodic reassessment of service
provider compliance, monitoring service provider release notes, and dark web
monitoring.
Securely decommission service providers. Example considerations include user and
service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
e Security
y life cycle of in-house developed, hosted, or acquired software to prevent, detect, and
weaknesses before they can impact the enterprise.

Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually,
or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software
vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy

that helps to set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing

vulnerabilities, root cause analysis is the task of evaluating underlying issues that
create vulnerabilities in code, and allows development teams to move beyond just
fixing individual vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components used in

development, often referred to as a “bill of materials,” as well as components slated
for future use. This inventory is to include any risks that each third-party component
could pose. Evaluate the list at least monthly to identify any changes or updates to
these components, and validate that the component is still supported.

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.

Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe
bugs are fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates for

application infrastructure components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.

Maintain separate environments for production and non-production systems.

 Ensure that all software development personnel receive training in writing secure
code for their specific development environment and responsibilities. Training can
include general security principles and application security standard practices.
Conduct training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles

include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct threat modeling. Threat modeling is the process of identifying and
addressing application security design flaws within a design, before code is created. It
is conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.

m to develop and maintain an incident response capability (e.g., policies, plans,

roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the
coordination and documentation of incident response and recovery efforts and can
consist of employees internal to the enterprise, third-party vendors, or a hybrid
approach. If using a third-party vendor, designate at least one person internal to the
enterprise to oversee any third-party work. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate
and report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key
personnel involved in the incident response process to prepare for responding to real-
world incidents. Exercises need to test communication channels, decision making,
and workflows. Conduct testing on an annual basis, at a minimum.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence

through identifying lessons learned and follow-up action.
 Establish and maintain security incident thresholds, including, at a minimum,
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.

ss and resiliency of enterprise assets through identifying and exploiting weaknesses in

ocesses, and technology), and simulating the objectives and actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size,

complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
(API), hosted services, and physical premise controls; frequency; limitations, such as
acceptable hours, and excluded attack types; point of contact information;
remediation, such as how findings will be routed internally; and retrospective
requirements.
Perform periodic external penetration tests based on program requirements, no less
than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party.
The testing may be clear box or opaque box.

Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.

Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship TSC #

X X X Subset CC6.1

X X X Subset CC3.2

X X X Equivalent CC7.1

X X

X X
 X Subset CC7.2

X X X Subset CC6.1

X X X Subset CC3.2

X X X

X X X Subset CC7.1

X X

X X Subset CC6.8

X X Subset CC5.2

X Subset CC5.2
X X X

X X X Superset C1.1

X X X Subset CC3.2

X X X Subset CC6.1

X X X Subset CC5.2

X X X Subset CC6.1

X X X

X X X Superset C1.2

X X X Subset CC6.5

X X X Subset CC6.1

X X Subset CC3.2
 X X Subset CC3.2

X X Subset CC6.1

X X Subset CC6.1

X X Subset CC6.7

X X Subset CC6.1

X X Subset CC6.7

X Subset CC6.7

X Subset CC6.1

X X X Superset CC7.1
X X X Superset CC8.1

X X X Subset CC5.2

X X X

X X X Subset CC6.6

X X X Subset CC6.6

X X X Subset CC5.2

X X X Subset CC6.3

X X Subset CC6.3

X X Subset CC6.6

X X

X X
 X X

X X X Subset CC6.1

Subset CC6.2

Subset CC6.3

X X X Subset CC6.1

X X X

X X X Subset CC6.1

X X X Subset CC6.3

X X
 X X Subset CC6.1

X X X Equivalent CC6.2

X X X Subset CC6.2

X X X Subset CC6.3

X X X Subset CC6.1

X X X Subset CC6.6

X X X Subset CC6.1

X X X Subset CC6.6

X X X Subset CC6.1

X X Subset CC6.1

X X Subset CC6.3
 X X Subset CC6.4

X X

X Equivalent CC6.3

X Subset CC5.2

X X X Subset CC3.2

X X X Subset CC3.2

X X X Subset CC3.3

X X X Superset CC9.1

X X X Subset CC7.1

X X X Subset CC7.1
 X X Subset CC7.1

X X Subset CC7.1

X X Subset CC6.6

X X Subset CC7.1

X X Subset CC7.1

X X

X X X

X X X

X X X Subset A1.1

X X Subset CC4.1

X X Subset CC5.2

X X Subset CC5.2

X X Subset CC7.2
 X X

X X Subset CC5.2

X X Subset CC5.2

X X Subset CC6.8

X X
X X
X X Subset CC4.1

X X Subset CC7.3

X X X

X X X Susbet CC5.2

X X Subset CC5.2

X X Subset CC6.6

X X
 X X Subset CC5.2

X X

X X X Subset CC6.8

X X X

X X X

X X

X X Subset CC6.8

X X Subset CC6.8

X X

X X X Subset A1.2

X X X

X X X Subset CC6.4

X X X Subset CC6.7
X X X Subset A1.2

X X X

X X Subset A1.2

X X Subset A1.3

X X X

X X

X X Equivalent CC5.2

X X Subset CC6.1

X X

X X Subset CC6.1

X X

X Subset CC6.1
X X

X X Subset CC7.2

X X Subset CC6.6

X X Subset CC7.2

X X Subset CC6.6

X X Subset CC6.7

X X Subset CC6.6

X X Subset CC7.2

X Subset CC6.6

X Subset CC7.2
 X Subset CC6.6

X Subset CC6.6

X Subset CC7.2

X Subset CC7.2

X Subset A1.1

X X X Subset CC1.4

X X X Intersects CC2.2

X X X Subset CC2.2

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X Subset CC2.2

X X X

X X Subset CC3.2

X X Subset CC3.4
X X Subset CC9.2

X X

X X

X X Subset CC1.4
X X

X X

X X

X X

X X

X X

X X
X X

X X

X X

X
X X X

X X X Subset CC2.3

X X X Subset CC2.2

X X Subset CC7.2

X X Equivalent CC7.4

X X Superset CC7.5

X X

X X

X X

X X Subset CC7.3
 X

X X

X X

X X Subset CC3.2

X
Focus Point

Identifies and Manages the

Inventory of Information Assets

Identifies and Assesses Criticality

of Information Assets and
Identifies Threats and
Vulnerabilities

Detects Unknown or
Unauthorized Components
Identifies and Manages the
Inventory of Information Assets

Identifies and Assesses Criticality

of Information Assets and
Identifies Threats and
Vulnerabilities

Detects Unknown or
Unauthorized Components

Restricts Application and

Software Installation
Identifies and Assesses Criticality
of Information Assets and
Identifies Threats and
Vulnerabilities

Identifies and Manages the

Inventory of Information Assets

Establishes relevant security

management process control
activities.

Identifies and Assesses Criticality

of Information Assets and
Identifies Threats and
Vulnerabilities
Identifies and Assesses Criticality
of Information Assets and
Identifies Threats and
Vulnerabilities
Establishes relevant technology
infrastructure control activities.

Establishes relevant technology

infrastructure control activities.
Establishes relevant security
management process control
activities.

Identifies and Assesses Criticality

of Information Assets and
Identifies Threats and
Vulnerabilities

Identifies and Assesses Criticality

of Information Assets and
Identifies Threats and
Vulnerabilities

Considers the Risks Related to

the Use of IT and Access to
Information
Conduct Vulnerability Scans

Conduct Vulnerability Scans

Establishes relevant security

management process control
activities.
Establishes relevant security
management process control
activities.
Establishes relevant security
management process control
activities.
Establishes relevant security
management process control
activities.

Establishes relevant security

management process control
activities.

Establishes relevant security

management process control
activities.
Establishes relevant security
management process control
activities.
Establishes relevant technology
infrastructure control activities.

Identifies and Manages the

Inventory of Information Assets
Communicates Information to
Improve Security Knowledge and
Awareness
Communicates Responsibilities

Analyzes Threats and

Vulnerabilities From Vendors,
Business Partners, and Other
Parties

Assesses Changes in Vendor

and Business Partner
Relationships
Communicates to External
Parties

Communicates Information on
Reporting Failures, Incidents,
Concerns, and Other Matters
Identifies and Assesses Criticality
of Information Assets and
Identifies Threats and
Vulnerabilities
Description

The entity identifies, inventories, classifies, and manages information assets.

The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.

Procedures are in place to detect the introduction of unknown or unauthorized components

The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.

The entity identifies, inventories, classifies, and manages information assets.

The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.

Procedures are in place to detect the introduction of unknown or unauthorized components

The ability to install applications and software is restricted to authorized individuals

The entity also selects and develops general control activities over technology to support the
achievement of objectives.

The entity also selects and develops general control activities over technology to support the
achievement of objectives.
The entity identifies and maintains confidential information to meet the entity’s objectives
related to confidentiality.

The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.

The entity identifies, inventories, classifies, and manages information assets.

Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity disposes of confidential information to meet the entity’s objectives related to
confidentiality.

The entity discontinues logical and physical protections over physical assets only after the
ability to read or recover data and software from those assets has been diminished and is no
longer required to meet the entity's objective.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives
The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.
The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives
The entity restricts the transmission, movement, and removal of information to authorized
internal and external users and processes, and protects it during transmission, movement, or
removal to meet the entity’s objectives.

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity restricts the transmission, movement, and removal of information to authorized
internal and external users and processes, and protects it during transmission, movement, or
removal to meet the entity’s objectives.

The entity restricts the transmission, movement, and removal of information to authorized
internal and external users and processes, and protects it during transmission, movement, or
removal to meet the entity’s objectives.

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

To meet its objectives, the entity uses detection and Monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptabilities to newly discovered vulnerabilities
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves,
and implements changes to infrastructure, data, software, and procedures to meet its
objectives.

Management selects and develops control activities over the technology infrastructure, which
are designed and implemented to help ensure the completeness, accuracy, and availability of
technology processing.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

Management selects and develops control activities over the technology infrastructure, which
are designed and implemented to help ensure the completeness, accuracy, and availability of
technology processing.

The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.
The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

Prior to issuing system credentials and granting system access, the entity registers and
authorizes new internal and external users whose access is administered by the entity. For
those users whose access is administered by the entity, user system credentials are removed
when user access is no longer authorized.

The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives.

The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

Prior to issuing system credentials and granting system access, the entity registers and
authorizes new internal and external users whose access is administered by the entity. For
those users whose access is administered by the entity, user system credentials are removed
when user access is no longer authorized.
Prior to issuing system credentials and granting system access, the entity registers and
authorizes new internal and external users whose access is administered by the entity. For
those users whose access is administered by the entity, user system credentials are removed
when user access is no longer authorized.
The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives
The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.
The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.
The entity restricts physical access to facilities and protected information assets (for example,
data center facilities, back-up media storage, and other sensitive locations) to authorized
personnel to meet the entity’s objectives.

The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity's objectives.

Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.

The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.
The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.

The assessment of fraud risks includes consideration of threats and vulnerabilities that arise
specifically from the use of IT and access to information.

The entity identifies, selects, and develops risk mitigation activities for risks arising from
potential business disruptions
To meet its objectives, the entity uses detection and Monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptabilities to newly discovered vulnerabilities
To meet its objectives, the entity uses detection and Monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptabilities to newly discovered vulnerabilities
To meet its objectives, the entity uses detection and Monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptabilities to newly discovered vulnerabilities
The entity conducts vulnerability scans designed to identify potential vulnerabilities or
misconfigurations on a periodic basis and after any significant change in the environment and
takes action to remediate identified deficiencies on a timely basis.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

To meet its objectives, the entity uses detection and Monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptabilities to newly discovered vulnerabilities

The entity conducts vulnerability scans designed to identify potential vulnerabilities or

misconfigurations on a periodic basis and after any significant change in the environment and
takes action to remediate identified deficiencies on a timely basis.

The entity maintains, monitors, and evaluates current processing capacity and use of system
components (infrastructure, data, and software) to manage capacity demand and to enable
the implementation of additional capacity to help meet its objectives.
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.
Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.
Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
The entity implements controls to prevent or detect and act upon the introduction of
unauthorized or malicious software to meet the entity's objectives.

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.
The entity evaluates security events to determine whether they could or have resulted in a
failure of the entity to meet its objectives (security incidents) and, if so, takes actions to
prevent or address such failures.

Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.

Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.
Management selects and develops control activities that are designed and implemented to
restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.

The entity implements controls to prevent or detect and act upon the introduction of
unauthorized or malicious software to meet the entity's objectives.

The entity implements controls to prevent or detect and act upon the introduction of
unauthorized or malicious software to meet the entity's objectives.

The entity implements controls to prevent or detect and act upon the introduction of
unauthorized or malicious software to meet the entity's objectives.

The entity authorizes, designs, develops or acquires, implements, operates, approves,

maintains, and monitors environmental protections, software, data back-up processes, and
recovery infrastructure to meet its objectives.

The entity restricts physical access to facilities and protected information assets (for example,
data center facilities, back-up media storage, and other sensitive locations) to authorized
personnel to meet the entity’s objectives.
The entity restricts the transmission, movement, and removal of information to authorized
internal and external users and processes, and protects it during transmission, movement, or
removal to meet the entity’s objectives.
The entity authorizes, designs, develops or acquires, implements, operates, approves,
maintains, and monitors environmental protections, software, data back-up processes, and
recovery infrastructure to meet its objectives.

The entity authorizes, designs, develops or acquires, implements, operates, approves,

maintains, and monitors environmental protections, software, data back-up processes, and
recovery infrastructure to meet its objectives.

The entity tests recovery plan procedures supporting system recovery to meet its objectives.

Management selects and develops control activities over the technology infrastructure, which
are designed and implemented to help ensure the completeness, accuracy, and availability of
technology processing.

The entity identifies, inventories, classifies, and manages information assets.

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives

The entity implements logical access security software, infrastructure, and architectures over
protected information assests to protect them from security events to meet the entity
objectives
The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.
The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity restricts the transmission, movement, and removal of information to authorized
internal and external users and processes, and protects it during transmission, movement, or
removal to meet the entity’s objectives.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.
The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity implements logical access security measures to protect against threats from
sources outside its system boundaries.

The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.
The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.
The entity maintains, monitors, and evaluates current processing capacity and use of system
components (infrastructure, data, and software) to manage capacity demand and to enable
the implementation of additional capacity to help meet its objectives.

The entity demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with objectives.

The entity internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of internal control.

The entity communicates information to improve security knowledge and awareness and to
model appropriate security behaviors to personnel through a security awareness training
program.
Entity personnel with responsibility for designing,
developing, implementing, operating, maintaining, or monitoring system controls receive
communications about their responsibilities, including changes in their responsibilities, and
have the information necessary to carry out those responsibilities.

The entity's risk assessment process includes the analysis of potential threats and
vulnerabilities arising from vendors providing goods and services, as well as threats and
vulnerabilities arising from business partners, customers, and others with access to the entity's
information systems.

The risk identification process considers changes in vendor and business partner
relationships.
The entity assesses and manages risks associated with vendors and business partners.

The entity demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with objectives.
Processes are in place to communicate relevant and timely information to external parties,
including shareholders, partners, owners, regulators, customers, financial analysts, and other
external parties.

Entity personnel are provided with information on how to report systems failures, incidents,
concerns, and other complaints to personnel.

The entity monitors system components and the operation of those components for anomalies
that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to
meet its objectives; anomalies are analyzed to determine whether they represent security
events.

The entity responds to identified security incidents by executing a defined incident response
program to understand, contain, remediate, and communicate security incidents, as
appropriate.

The entity identifies, develops, and implements activities to recover from identified security
incidents.

The entity evaluates security events to determine whether they could or have resulted in a
failure of the entity to meet its objectives (security incidents) and, if so, takes actions to
prevent or address such failures.
The entity's risk identification and assessment process includes (1) identifying information
assets, including physical devices and systems, virtual devices, software, data and data flows,
external information systems, and organizational roles; (2) assessing the criticality of those
information assets; (3) identifying the threats to the assets from intentional (including
malicious) and unintentional acts and environmental events; and (4) identifying the
vulnerabilities of the identified assets.
The following trust services criteria are NOT mapped to the CIS Controls
CC1.1

CC1.2

CC1.3
CC1.5
CC2.1

CC3.1

CC4.2

CC5.1

CC5.3

PI1.1

PI1.2

PI1.3

PI1.4

PI1.5

P1.1

P2.1
P3.1

P3.2

P4.1
P4.2
P4.3
P5.1

P5.2

P6.1

P6.2

P6.3

P6.4

P6.5

P6.6

P6.7

P7.1

P8.1
The following trust services criteria are NOT mapped to the CIS Controls
The entity demonstrates a commitment to integrity and ethical values.
The board of directors demonstrates independence from management and
exercises oversight of the development and performance of internal control.
Management establishes, with board oversight, structures, reporting lines,
and appropriate authorities and responsibilities in the pursuit of objectives.
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives
The entity obtains or generates and uses relevant, quality information to support the functioning of internal
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks rela
objectives.
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties res
taking corrective action, including senior management and the board of directors, as appropriate.
The entity selects and develops control activities that contribute to the mitigation of risks to the achievemen
to acceptable levels.
The entity deploys control activities through policies that establish what is expected and in procedures that
into action.
The entity obtains or generates, uses, and communicates relevant, quality information regarding the object
processing, including definitions of data processed and product and service specifications, to support the u
and services.
The entity implements policies and procedures over system inputs, including controls over completeness a
result in products, services, and reporting to meet the entity’s objectives.
The entity implements policies and procedures over system processing to result in products, services, and
meet the entity’s objectives.
The entity implements policies and procedures to make available or deliver output completely, accurately,
accordance with specifications to meet the entity’s objectives.
The entity implements policies and procedures to store inputs, items in processing, and outputs completely
and timely in accordance with system specifications to meet the entity’s objectives.

The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related
The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s pr
including changes in the use of personal information, to meet the entity’s objectives related to privacy.
The entity communicates choices available regarding the collection, use, retention, disclosure, and disposa
information to the data subjects and the consequences, if any, of each choice. Explicit consent for the colle
retention, disclosure, and disposal of personal information is obtained from data subjects or other authorize
required. Such consent is obtained only for the intended purpose of the information to meet the entity’s obj
to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, a
personal information is documented.
Personal information is collected consistent with the entity’s objectives related to privacy.
For information requiring explicit consent, the entity communicates the need for such consent, as well as th
consequences of a failure to provide consent for the request for personal information, and obtains the cons
collection of the information to meet the entity’s objectives related to privacy.

The entity limits the use of personal information to the purposes identified in the entity’s objectives related
The entity retains personal information consistent with the entity’s objectives related to privacy.
The entity securely disposes of personal information to meet the entity’s objectives related to privacy.
The entity grants identified and authenticated data subjects the ability to access their stored personal inform
review and, upon request, provides physical or electronic copies of that information to data subjects to mee
objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for su
required, to meet the entity’s objectives related to privacy.
The entity corrects, amends, or appends personal information based on information provided by data subje
communicates such information to third parties, as committed or required, to meet the entity’s objectives re
privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such d
the entity’s objectives related to privacy.
The entity discloses personal information to third parties with the explicit consent of data subjects, and suc
obtained prior to disclosure to meet the entity’s objectives related to privacy.
The entity creates and retains a complete, accurate, and timely record of authorized disclosures of persona
meet the entity’s objectives related to privacy.
The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorize
(including breaches) of personal information to meet the entity’s objectives related to privacy.
The entity obtains privacy commitments from vendors and other third parties who have access to personal
meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic
basis and takes corrective action, if necessary.
The entity obtains commitments from vendors and other third parties with access to personal information to
entity in the event of actual or suspected unauthorized disclosures of personal information. Such notificatio
to appropriate personnel and acted on in accordance with established incident response procedures to me
objectives related to privacy.
The entity provides notification of breaches and incidents to affected data subjects, regulators, and others
entity’s objectives related to privacy.
The entity provides data subjects with an accounting of the personal information held and disclosure of the
personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.
The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to mee
objectives related to privacy.
The entity implements a process for receiving, addressing, resolving, and communicating the resolution of
complaints, and disputes from data subjects and others and periodically monitors compliance to meet the e
objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are
in a timely manner.
The following CIS Safeguards are NOT mapped to SOC2:

1.3

1.4

2.2

2.4

3.1

3.4

4.3

4.9

4.10

4.11

4.12
5.3

5.5
6.7

7.7

8.1

8.2
8.6
8.10
8.12

9.1

9.4
9.6
9.7
10.2
10.3
10.4
10.7

11.2

11.4

12.1

12.2
12.5

12.7

13.1

13.7
14.2

14.3

14.4

14.5
14.6

14.7

14.8

15.1
15.3

15.4

15.5

15.6

15.7

16.2

16.3

16.4

16.5

16.6

16.7
16.8
16.9

16.10

16.11

16.12

16.13

16.14

17.1

17.5

17.6

17.7

17.9

18.1
18.2

18.4

18.5
rds are NOT mapped to SOC2:

Utilize an Active Discovery Tool

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Ensure Authorized Software is Currently Supported

Utilize Automated Software Inventory Tools

Establish and Maintain a Data Management Process

Enforce Data Retention

Configure Automatic Session Locking on Enterprise Assets

Configure Trusted DNS Servers on Enterprise Assets

Enforce Automatic Device Lockout on Portable End-User Devices

Enforce Remote Wipe Capability on Portable End-User Devices

Separate Enterprise Workspaces on Mobile End-User Devices

Disable Dormant Accounts

Establish and Maintain an Inventory of Service Accounts

Centralize Access Control

Remediate Detected Vulnerabilities

Establish and Maintain an Audit Log Management Process

Collect Audit Logs

Collect DNS Query Audit Logs
Retain Audit Logs
Collect Service Provider Logs

Ensure Use of Only Fully Supported Browsers and Email Clients

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections
Configure Automatic Anti-Malware Signature Updates
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media
Use Behavior-Based Anti-Malware Software

Perform Automated Backups

Establish and Maintain an Isolated Instance of Recovery Data

Ensure Network Infrastructure is Up-to-Date

Establish and Maintain a Secure Network Architecture

Centralize Network Authentication, Authorization, and Auditing (AAA)

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Centralize Security Event Alerting

Deploy a Host-Based Intrusion Prevention Solution

Train Workforce Members to Recognize Social Engineering Attacks

Train Workforce Members on Authentication Best Practices

Train Workforce on Data Handling Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure

Train Workforce Members on Recognizing and Reporting Security Incidents

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Establish and Maintain an Inventory of Service Providers

Classify Service Providers

Ensure Service Provider Contracts Include Security Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission Service Providers

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

Perform Root Cause Analysis on Security Vulnerabilities

Establish and Manage an Inventory of Third-Party Software Components

Use Up-to-Date and Trusted Third-Party Software Components

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

Use Standard Hardening Configuration Templates for Application Infrastructure

Separate Production and Non-Production Systems
Train Developers in Application Security Concepts and Secure Coding

Apply Secure Design Principles in Application Architectures

Leverage Vetted Modules or Services for Application Security Components

Implement Code-Level Security Checks

Conduct Application Penetration Testing

Conduct Threat Modeling

Designate Personnel to Manage Incident Handling

Assign Key Roles and Responsibilities

Define Mechanisms for Communicating During Incident Response

Conduct Routine Incident Response Exercises

Establish and Maintain Security Incident Thresholds

Establish and Maintain a Penetration Testing Program

Perform Periodic External Penetration Tests

Validate Security Measures

Perform Periodic Internal Penetration Tests

Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discove
execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.

Ensure that only currently supported software is designated as authorized in the software inventory for enterprise as
software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailin
controls and residual risk acceptance. For any unsupported software without an exception documentation, designate
unauthorized. Review the software list to verify software support at least monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documenta
installed software.

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling o
retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review a
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Retain data according to the enterprise’s data management process. Data retention must include both minimum and
timelines.

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose op
systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minute
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
controlled DNS servers and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on porta
devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and sma
more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and
Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
stolen devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data
personal applications and data.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department own
date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurrin
at a minimum quarterly, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis,
the remediation process.
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a m
address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation a
when significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled acros
assets.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Retain audit logs across enterprise assets for a minimum of 90 days.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
events, data creation and disposal events, and user management events.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
browsers and email clients provided through the vendor.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ex
and add-on applications.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Use behavior-based anti-malware software.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
the data.
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling b
destinations through offline, cloud, or off-site systems or services.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more
to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, le
and availability, at a minimum.
Centralize network AAA.
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise
end-user devices.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementa
the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with s
relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
management.

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
training workforce members on clear screen and desk best practices, such as locking their screen when they step aw
their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets s
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.

Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their
network infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
classification(s), and designate an enterprise contact for each service provider. Review and update the inventory an
when significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such as data sensit
volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classif
annually, or when significant enterprise changes occur that could impact this Safeguard.

Ensure service provider contracts include security requirements. Example requirements may include minimum secu
requirements, security incident and/or data breach notification and response, data encryption requirements, and dat
commitments. These security requirements must be consistent with the enterprise’s service provider management p
Review service provider contracts annually to ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
based on classification(s), and may include review of standardized assessment reports, such as Service Organizatio
(SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other ap
rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may inclu
reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, te
data flows, and secure disposal of enterprise data within service provider systems.

Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a me
external entities to report. The process is to include such items as: a vulnerability handling policy that identifies repo
responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediat
testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for mea
for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when s
enterprise changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just
individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
materials,” as well as components slated for future use. This inventory is to include any risks that each third-party co
could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate
component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software fo
vulnerabilities before use.

Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing t
which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for
code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk manageme
ensure the most severe bugs are fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates for application infrastructure components. T
underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) com
SaaS components. Do not allow in-house developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
environment and responsibilities. Training can include general security principles and application security standard p
Conduct training at least annually and design in a way to promote security within the development team, and build a
security among the developers.

Apply secure design principles in application architectures. Secure design principles include the concept of least priv
enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user inpu
include ensuring that explicit error checking is performed and documented for all input, including for size, data type,
acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, su
off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default ac

Leverage vetted modules or services for application security components, such as identity management, encryption
auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minim
likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identifica
authentication, and authorization and make those mechanisms available to applications. Use only standardized, curr
accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create a
secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the sk
tester to manually manipulate an application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
design, before code is created. It is conducted through specially trained individuals who evaluate the application des
gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and i
in a structured way to understand its weaknesses.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Ma
personnel are responsible for the coordination and documentation of incident response and recovery efforts and can
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designa
one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise
occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilitie
relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant e
changes occur that could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can
during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safe
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident respo
to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making,
workflows. Conduct testing on an annual basis, at a minimum.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc
annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
Penetration testing program characteristics include scope, such as network, web application, Application Programm
(API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and exclude
types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requ
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing req
specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to dete
techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may b
or opaque box.