Please note: This sample shows only a section of the complete current and target profile tool.
OrganizationalContext(GV.OC) The circumstances—mission,stakeholder expectations,dependencies,andlegal, regulatory,andcontractualrequirements— surroundingtheorganization’scybersecurity riskmanagementdecisionsareunderstood RiskManagementStrategy(GV.RM) The organization’spriorities,constraints,risk toleranceandappetitestatements,and assumptionsareestablished,communicated, andusedtosupportoperationalriskdecisions
GOVERN(GV)
31Subcategories
Theorganization’scybersecurityriskmanagement strategy,expectations,andpolicyareestablished, communicated,andmonitored
Roles,Responsibilities,andAuthorities (GV.RR) Cybersecurityroles,responsibilities, andauthoritiestofosteraccountability, performanceassessment,andcontinuous improvementareestablishedand communicated
Policy(GV.PO) Organizationalcybersecurity policyisestablished,communicated,and enforced
Oversight(GV.OV) Resultsoforganizationwidecybersecurityriskmanagementactivities andperformanceareusedtoinform,improve, andadjusttheriskmanagementstrategy
CybersecuritySupplyChainRiskManagement (GV.SC) Cybersupplychainriskmanagement processesareidentified,established,managed, monitored,andimprovedbyorganizational
CSFCurrentandTargetProfile FUNCTION CATEGORY CATEGORYCURRENTTIER CATEGORYTARGETTIER SUBCATEGORY SUBCATEGORY APPLICABLE? ISCATEGORYTARGET TIERCURRENTLYMET? CURRENTPROVISION TARGETPROVISION TARGETPRIORITY ACTIONITEM(S) RESPONSIBLEPARTIES TARGET COMPLETIONDATE NOTES GV.OC-01:Theorganizationalmissionisunderstoodandinformscybersecurityrisk management Yes N/A GV.OC-02:Internalandexternalstakeholdersareunderstood,andtheirneedsand expectationsregardingcybersecurityriskmanagementareunderstoodandconsidered Yes N/A GV.OC-03:Legal,regulatory,andcontractualrequirementsregardingcybersecurity— includingprivacyandcivillibertiesobligations—areunderstoodandmanaged Yes N/A GV.OC-04:Criticalobjectives,capabilities,andservicesthatstakeholdersdependonor expectfromtheorganizationareunderstoodandcommunicated Yes N/A GV.OC-05:Outcomes,capabilities,andservicesthattheorganizationdependsonare understoodandcommunicated Yes N/A Totals 5 0 GV.RM-01:Riskmanagementobjectivesareestablishedandagreedtobyorganizational stakeholders Yes N/A GV.RM-02:Riskappetiteandrisktolerancestatementsaredetermined,communicated, andmaintained Yes N/A GV.RM-03:Cybersecurityriskmanagementactivitiesandoutcomesareincludedin enterpriseriskmanagementprocesses Yes N/A GV.RM-04:Strategicdirectionthatdescribesappropriateriskresponseoptionsis establishedandcommunicated Yes N/A GV.RM-05:Linesofcommunicationacrosstheorganizationareestablishedfor cybersecurityrisks,includingrisksfromsuppliersandotherthirdparties Yes N/A GV.RM-06:Astandardizedmethodforcalculating,documenting,categorizing,and prioritizingcybersecurityrisksisestablishedandcommunicated Yes N/A GV.RM-07:Strategicopportunities(i.e.,positiverisks)arecharacterizedandincludedin organizationalcybersecurityriskdiscussions Yes N/A Totals7 0 GV.RR-01:Organizationalleadershipisresponsibleandaccountableforcybersecurityrisk andfostersaculturethatisrisk-aware,ethical,andcontinuallyimproving Yes N/A GV.RR-02:Roles,responsibilities,andauthoritiesrelatedtocybersecurityrisk managementareestablished,communicated,understood,andenforced Yes N/A GV.RR-03:Adequateresourcesareallocatedcommensuratewithcybersecurityrisk strategy,rolesandresponsibilities,andpolicies Yes N/A GV.RR-04:Cybersecurityisincludedinhumanresourcespractices Yes N/A Totals4 0 GV.PO-01:Policyformanagingcybersecurityrisksisestablishedbasedonorganizational context,cybersecuritystrategy,andprioritiesandiscommunicatedandenforced Yes N/A GV.PO-02:Policyformanagingcybersecurityrisksisreviewed,updated,communicated, andenforcedtoreflectchangesinrequirements,threats,technology,andorganizational mission Yes N/A Totals2 0 GV.OV-01:Cybersecurityriskmanagementstrategyoutcomesarereviewedtoinformand adjuststrategyanddirection Yes N/A GV.OV-02:Thecybersecurityriskmanagementstrategyisreviewedandadjustedto ensurecoverageoforganizationalrequirementsandrisks Yes N/A GV.OV-03:Organizationalcybersecurityriskmanagementperformanceisevaluatedand reviewedforadjustmentsneeded Yes N/A Totals3 0 GV.SC-01:Acybersecuritysupplychainriskmanagementprogram,strategy,objectives, policies,andprocessesareestablishedandagreedtobyorganizationalstakeholders Yes N/A GV.SC-02:Cybersecurityrolesandresponsibilitiesforsuppliers,customers,andpartners areestablished,communicated,andcoordinatedinternallyandexternally Yes No GV.SC-03:Cybersecuritysupplychainriskmanagementisintegratedintocybersecurity andenterpriseriskmanagement,riskassessment,andimprovementprocesses Yes N/A GV.SC-04:Suppliersareknownandprioritizedbycriticality Yes N/A GV.SC-05:Requirementstoaddresscybersecurityrisksinsupplychainsareestablished, prioritized,andintegratedintocontractsandothertypesofagreementswithsuppliers andotherrelevantthirdparties Yes N/A GV.SC-06:Planningandduediligenceareperformedtoreducerisksbeforeenteringinto formalsupplierorotherthird-partyrelationships Yes N/A GV.SC-07:Therisksposedbyasupplier,theirproductsandservices,andotherthird partiesareunderstood,recorded,prioritized,assessed,respondedto,andmonitored overthecourseoftherelationship Yes N/A GV.SC-08:Relevantsuppliersandotherthirdpartiesareincludedinincidentplanning, response,andrecoveryactivities Yes N/A GV.SC-09:Supplychainsecuritypracticesareintegratedintocybersecurityandenterprise riskmanagementprograms,andtheirperformanceismonitoredthroughoutthe technologyproductandservicelifecycle Yes N/A GV.SC-10:Cybersecuritysupplychainriskmanagementplansincludeprovisionsfor activitiesthatoccuraftertheconclusionofapartnershiporserviceagreement Yes N/A Totals10 0 Tier1 Partial Tier1 Partial Tier1 Partial Tier1 Partial
Tier1 Partial Tier1 Partial Tier1 Partial Tier1 Partial Tier1 Partial
stakeholders
Tier1 Partial Tier1 Partial Tier1 Partial
CSFCurrentandTargetProfile dashboard Torefreshchartdata,clickon“RefreshAll”ontheDataribbon.
CSFcurrentandtargetprofileresults
CATEGORY NUMBEROF SUBCATEGORIES NUMBEROF SUBCATEGORIES APPLICABLE %OFSUBCATEGORIES APPLICABLE NUMBEROF APPLICABLE SUBCATEGORIES WHERECATEGORY TARGETTIERIS CURRENTLYMET %OFAPPLICABLE SUBCATEGORIES WHERECATEGORY TARGETTIERIS CURRENTLYMET OrganizationalContext 5 5 100% 0 0% RiskManagementStrategy 7 7 100% 0 0% Roles,Responsibilities,andAuthorities 4 4 100% 0 0% Policies,Processes,andProcedures 2 2 100% 0 0% Oversight 3 3 100% 0 0% CybersecuritySupplyChainRiskManagement 10 10 100% 0 0% AssetManagement 7 7 100% 0 0% RiskAssessment 10 10 100% 0 0% Improvement 4 4 100% 0 0% IdentityManagement,Authentication,andAccessControl 6 6 100% 0 0% AwarenessandTraining 2 2 100% 0 0% DataSecurity 4 4 100% 0 0% PlatformSecurity 6 6 100% 0 0% TechnologyInfrastructureResilience 4 4 100% 0 0% ContinuousMonitoring 5 5 100% 0 0% AdverseEventAnalysis 6 6 100% 0 0% IncidentManagement 5 5 100% 0 0% IncidentAnalysis 4 4 100% 0 0% IncidentResponseReportingandCommunication 2 2 100% 0 0% IncidentMitigation 2 2 100% 0 0% IncidentRecoveryPlanExecution 6 6 100% 0 0% IncidentRecoveryCommunication 2 2 100% 0 0% Total 106 106 100% 0 0% CSFnumberofapplicablesubcategoriesbycategoryandifcategorytargettieriscurrentlymet CSFpercentageofapplicablesubcategoriesbycategoryandifcategorytargettieriscurrentlymet CSFpercentageofsubcategoriesbycategoryapplicableandmet 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 6 2 2 4 5 6 5 4 6 4 2 6 4 10 7 10 3 2 4 7 5 0 2 4 6 8 10 12 IncidentRecoveryCommunication IncidentRecoveryPlanExecution IncidentMitigation IncidentResponseReportingandCommunication IncidentAnalysis IncidentManagement AdverseEventAnalysis ContinuousMonitoring TechnologyInfrastructureResilience PlatformSecurity DataSecurity AwarenessandTraining IdentityManagement,Authentication,andAccessControl Improvement RiskAssessment AssetManagement CybersecuritySupplyChainRiskManagement Oversight Policies,Processes,andProcedures Roles,Responsibilities,andAuthorities RiskManagementStrategy OrganizationalContext NUMBEROFSUBCATEGORIESAPPLICABLE NUMBEROFAPPLICABLESUBCATEGORIESWHERECATEGORYTARGETTIERISCURRENTLYMET 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% %OFSUBCATEGORIESAPPLICABLE %OFAPPLICABLESUBCATEGORIESWHERECATEGORYTARGETTIERISCURRENTLYMET 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% OrganizationalContext RiskManagementStrategy Roles,Responsibilities,andAuthorities Policies,Processes,andProcedures Oversight CybersecuritySupplyChainRisk Management AssetManagement RiskAssessment Improvement IdentityManagement,Authentication, andAccessControl AwarenessandTraining DataSecurity PlatformSecurity TechnologyInfrastructureResilience ContinuousMonitoring AdverseEventAnalysis IncidentManagement IncidentAnalysis IncidentResponseReportingand Communication IncidentMitigation IncidentRecoveryPlanExecution IncidentRecoveryCommunication %OFSUBCATEGORIESAPPLICABLE %OFAPPLICABLESUBCATEGORIESWHERECATEGORYTARGETTIERISCURRENTLYMET
categories FUNCTION CATEGORY IDENTIFIER CATEGORY CATEGORY DESCRIPTION NUMBEROF SUBCATEGORIES Govern (GV) GV.OC Organizational Context The circumstances — mission, stakeholderexpectations, dependencies, and legal, regulatory, and contractual requirements — surroundingthe organization’s cybersecurity risk managementdecisions are understood 5 GV.RM Risk ManagementStrategy The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to supportoperational risk decisions 7 GV.RR Roles, Responsibilities, and Authorities Cybersecurity roles, responsibilities, and authorities to fosteraccountability, performance assessment, and continuous improvementare established and communicated 4 GV.PO Policy Organizational cybersecurity policy is established, communicated, and enforced 2 GV.OV Oversight Results of organization-wide cybersecurity risk managementactivities and performance are used to inform, improve, and adjustthe risk managementstrategy 3 GV.SC Cybersecurity Supply Chain Risk Management Cybersupply chain risk managementprocesses are identified, established, managed, monitored, and improved by organizational stakeholders 10 Identify (ID) ID.AM AssetManagement Assets (e.g., data, hardware, software, systems, facilities, services, people) thatenable the organization to achieve business purposes are identified and managed consistentwith theirrelative importance to organizational objectives and the organization’s risk strategy strategy 7 ID.RA Risk Assessment The cybersecurity risk to the organization, assets, and individuals is understood by the organization 10 ID.IM Improvement Improvements to organizational cybersecurity risk managementprocesses, procedures and activities are identified across all CSF Functions 4 Protect(PR) PR.AA Identity Management, Authentication, and Access Control Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access 6 PR.AT Awareness and Training The organization’s personnel are provided with cybersecurity awareness and trainingso thatthey can perform theircybersecurity-related tasks 2 PR.DS DataSecurity Dataare managed consistentwith the organization’s risk strategy to protectthe confidentiality, integrity, and availability of information 4 PR.PS PlatformSecurity The hardware, software (e.g., firmware, operatingsystems, applications), and services of physical and virtual platforms are managed consistentwith the organization’s risk strategy to protecttheirconfidentiality, integrity, and availability 6 PR.IR Technology Infrastructure Resilience Security architectures are managed with the organization’s risk strategy to protectassetconfidentiality, integrity, and availability, and organizational resilience 4 Detect(DE) DE.CM Continuous Monitoring Assets are monitored to find anomalies, indicators of compromise, and otherpotentially adverse events 5 DE.AE Adverse EventAnalysis Anomalies, indicators of compromise, and otherpotentially adverse events are analyzed to characterize the events and detectcybersecurity incidents 6 Respond (RS) RS.MA IncidentManagement Responses to detected cybersecurity incidents are managed 5 RS.AN IncidentAnalysis Investigations are conducted to ensure effective response and supportforensics and recovery activities 4 RS.CO IncidentResponse Reportingand Communication Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies 2 RS.MI IncidentMitigation Activities are performed to preventexpansion of an eventand mitigate its effects 2 Recover(RC) RC.RP IncidentRecovery Plan Execution Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents 6 RC.CO IncidentRecovery Communication Restoration activities are coordinated with internal and external parties 2
Functions and
TierDescriptions
TIER CYBERSECURITYRISKGOVERNANCE CYBERSECURITYRISKMANAGEMENT
Tier1:Partial Applicationoftheorganizationalcybersecurityrisk strategyismanagedinanadhocmanner.
Prioritizationisadhocandnotformallybasedon objectivesorthreatenvironment.
Tier2:RiskInformed Riskmanagementpracticesareapprovedby managementbutmaynotbeestablishedasorganizationwidepolicy.
Theprioritizationofcybersecurityactivitiesand protectionneedsisdirectlyinformedbyorganizational riskobjectives,thethreatenvironment,or business/missionrequirements.
Thereislimitedawarenessofcybersecurityrisksatthe organizationallevel.
Theorganizationimplementscybersecurityriskmanagementon anirregular,case-by-casebasis.
Theorganizationmaynothaveprocessesthatenable cybersecurityinformationtobesharedwithintheorganization.
Theorganizationisgenerallyunawareofthecybersecurityrisks associatedwithitssuppliersandtheproductsandservicesit acquiresanduses.
Thereisanawarenessofcybersecurityrisksattheorganizational level,butanorganization-wideapproachtomanaging cybersecurityriskshasnotbeenestablished.
Considerationofcybersecurityinorganizationalobjectivesand programsmayoccuratsomebutnotalllevelsoftheorganization. Cyberriskassessmentoforganizationalandexternalassets occursbutisnottypicallyrepeatableorreoccurring.
Cybersecurityinformationissharedwithintheorganizationonan informalbasis.
Theorganizationisawareofthecybersecurityrisksassociated withitssuppliersandtheproductsandservicesitacquiresand uses,butitdoesnotactconsistentlyorformallyinresponseto thoserisks.
Tier3:Repeatable Theorganization’sriskmanagementpracticesare formallyapprovedandexpressedaspolicy.
Risk-informedpolicies,processes,andproceduresare defined,implementedasintended,andreviewed.
Organizationalcybersecuritypracticesareregularly updatedbasedontheapplicationofriskmanagement processestochangesinbusiness/missionrequirements, threats,andtechnologicallandscape.
Thereisanorganization-wideapproachtomanaging cybersecurityrisks.Cybersecurityinformationisroutinelyshared throughouttheorganization.
Consistentmethodsareinplacetorespondeffectivelyto changesinrisk.Personnelpossesstheknowledgeandskillsto performtheirappointedrolesandresponsibilities.
Theorganizationconsistentlyandaccuratelymonitorsthe cybersecurityrisksofassets.Seniorcybersecurityandnoncybersecurityexecutivescommunicateregularlyregarding cybersecurityrisks.Executivesensurethatcybersecurityis consideredthroughalllinesofoperationintheorganization.
Theorganizationriskstrategyisinformedbythecybersecurity risksassociatedwithitssuppliersandtheproductsandservicesit acquiresanduses.Personnelformallyactuponthoserisks throughmechanismssuchaswrittenagreementstocommunicate baselinerequirements,governancestructures(e.g.,risk councils),andpolicyimplementationandmonitoring.These actionsareimplementedconsistentlyandasintendedandare continuouslymonitoredandreviewed.
Tier4:Adaptive Thereisanorganization-wideapproachtomanaging cybersecurityrisksthatusesrisk-informedpolicies, processes,andprocedurestoaddresspotential cybersecurityevents.Therelationshipbetween cybersecurityrisksandorganizationalobjectivesis clearlyunderstoodandconsideredwhenmaking decisions.Executivesmonitorcybersecurityrisksinthe samecontextasfinancialandotherorganizationalrisks. Theorganizationalbudgetisbasedonanunderstanding ofthecurrentandpredictedriskenvironmentandrisk tolerance.Businessunitsimplementexecutivevision andanalyzesystem-levelrisksinthecontextofthe organizationalrisktolerances.
Cybersecurityriskmanagementispartofthe organizationalculture.Itevolvesfromanawarenessof previousactivitiesandcontinuousawarenessof activitiesonorganizationalsystemsandnetworks.The organizationcanquicklyandefficientlyaccountfor changestobusiness/missionobjectivesinhowriskis approachedandcommunicated.
Theorganizationadaptsitscybersecuritypracticesbasedon previousandcurrentcybersecurityactivities,includinglessons learnedandpredictiveindicators.Throughaprocessof continuousimprovementthatincorporatesadvanced cybersecuritytechnologiesandpractices,theorganization activelyadaptstoachangingtechnologicallandscapeand respondsinatimelyandeffectivemannertoevolving, sophisticatedthreats.
Theorganizationusesreal-timeornearreal-timeinformationto understandandconsistentlyactuponthecybersecurityrisks associatedwithitssuppliersandtheproductsandservicesit acquiresanduses.
Cybersecurityinformationisconstantlysharedthroughoutthe organizationandwithauthorizedthirdparties.
