NIST Core


Description
The NIST Cybersecurity Framework is US Government guidance for private sector organizations that own, operate, or supply critical infrastructure. It provides a reasonable base level of cyber security. It establishes basic processes and essential controls for cybersecurity.
Owning organization
Validating JSON schema
Creator
License
Creative Commons Zero v1.0 Universal

Definition of the object
{
    "authors": [
        "The MONARC project"
    ],
    "label": "NIST Core",
    "language": "EN",
    "measures": [
        {
            "category": "Asset Management (ID.AM)",
            "code": "1_ID.AM-1",
            "label": "Physical devices and systems within the organization are inventoried",
            "uuid": "231fc2b1-80c2-450e-9d80-f804f5a8984c"
        },
        {
            "category": "Asset Management (ID.AM)",
            "code": "1_ID.AM-2",
            "label": "Software platforms and applications within the organization are inventoried",
            "uuid": "f4f7466f-0ae6-4867-a2ee-6be4e1f02329"
        },
        {
            "category": "Asset Management (ID.AM)",
            "code": "1_ID.AM-3",
            "label": "Organizational communication and data flows are mapped",
            "uuid": "b0cebf68-a023-40af-ba24-e59bd4a45c90"
        },
        {
            "category": "Asset Management (ID.AM)",
            "code": "1_ID.AM-4",
            "label": "External information systems are catalogued",
            "uuid": "57e92f7c-f5ed-4611-a1be-d7f4e1456f9c"
        },
        {
            "category": "Asset Management (ID.AM)",
            "code": "1_ID.AM-5",
            "label": "Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value",
            "uuid": "50fc2488-b730-48ae-abf8-93e60f141404"
        },
        {
            "category": "Asset Management (ID.AM)",
            "code": "1_ID.AM-6",
            "label": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established",
            "uuid": "766520fa-3439-4382-babc-eb7d9d6b1f52"
        },
        {
            "category": "Business Environment (ID.BE)",
            "code": "1_ID.BE-1",
            "label": "The organization’s role in the supply chain is identified and communicated",
            "uuid": "46555297-7af1-4d59-ac07-6e627aef4dda"
        },
        {
            "category": "Business Environment (ID.BE)",
            "code": "1_ID.BE-2",
            "label": "The organization’s place in critical infrastructure and its industry sector is identified and communicated",
            "uuid": "63f9f527-2c63-4fda-acda-7ebcf3025873"
        },
        {
            "category": "Business Environment (ID.BE)",
            "code": "1_ID.BE-3",
            "label": "Priorities for organizational mission, objectives, and activities are established and communicated",
            "uuid": "1a422e41-50fc-4c74-b1e4-e3d40b7c82f3"
        },
        {
            "category": "Business Environment (ID.BE)",
            "code": "1_ID.BE-4",
            "label": "Dependencies and critical functions for delivery of critical services are established",
            "uuid": "eaa4fb9d-e687-41a0-8d4b-1ca972bed10a"
        },
        {
            "category": "Business Environment (ID.BE)",
            "code": "1_ID.BE-5",
            "label": "Resilience requirements to support delivery of critical services are established",
            "uuid": "75942c69-3336-4e82-bf59-515aaa6e3513"
        },
        {
            "category": "Governance (ID.GV)",
            "code": "1_ID.GV-1",
            "label": "Organizational information security policy is established",
            "uuid": "7a4074cc-5b40-486a-9a52-6b49be7f95e6"
        },
        {
            "category": "Governance (ID.GV)",
            "code": "1_ID.GV-2",
            "label": "Information security roles & responsibilities are coordinated and aligned with internal roles and external partners",
            "uuid": "29613b2e-8def-417e-85fa-31aa5ef5de3b"
        },
        {
            "category": "Governance (ID.GV)",
            "code": "1_ID.GV-3",
            "label": "Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed",
            "uuid": "4e2499c0-d23d-4977-9e9f-6323af31be24"
        },
        {
            "category": "Governance (ID.GV)",
            "code": "1_ID.GV-4",
            "label": "Governance and risk management processes address cybersecurity risks",
            "uuid": "d2e86e2d-5bec-42a2-b642-69995b6abcf0"
        },
        {
            "category": "Risk Assessment (ID.RA)",
            "code": "1_ID.RA-1",
            "label": "Asset vulnerabilities are identified and documented",
            "uuid": "cc6aad46-1887-4da6-93e3-c707be07b9f5"
        },
        {
            "category": "Risk Assessment (ID.RA)",
            "code": "1_ID.RA-2",
            "label": "Threat and vulnerability information is received from information sharing forums and sources",
            "uuid": "0550c268-534a-4311-920d-84466e4865c4"
        },
        {
            "category": "Risk Assessment (ID.RA)",
            "code": "1_ID.RA-3",
            "label": "Threats, both internal and external, are identified and documented",
            "uuid": "1bad7834-b740-48ff-8450-5792b55614db"
        },
        {
            "category": "Risk Assessment (ID.RA)",
            "code": "1_ID.RA-4",
            "label": "Potential business impacts and likelihoods are identified",
            "uuid": "7c09a9bf-407c-4509-94c0-af8314fc3b86"
        },
        {
            "category": "Risk Assessment (ID.RA)",
            "code": "1_ID.RA-5",
            "label": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk",
            "uuid": "6d0bfd47-88dc-484a-aed8-196eaa12c4db"
        },
        {
            "category": "Risk Assessment (ID.RA)",
            "code": "1_ID.RA-6",
            "label": "Risk responses are identified and prioritized",
            "uuid": "98ce2a28-d424-4436-8c41-2ec0e8d563fa"
        },
        {
            "category": "Risk Management Strategy (ID.RM)",
            "code": "1_ID.RM-1",
            "label": "Risk management processes are established, managed, and agreed to by organizational stakeholders",
            "uuid": "e384f897-1b70-49a5-8491-24c035e1451f"
        },
        {
            "category": "Risk Management Strategy (ID.RM)",
            "code": "1_ID.RM-2",
            "label": "Organizational risk tolerance is determined and clearly expressed",
            "uuid": "7a9f7d35-6714-4182-ae88-d9ff575224a6"
        },
        {
            "category": "Risk Management Strategy (ID.RM)",
            "code": "1_ID.RM-3",
            "label": "The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis",
            "uuid": "97331ab3-3365-4fb0-894c-578c460720fa"
        },
        {
            "category": "Supply Chain Risk Management (ID.SC)",
            "code": "1_ID.SC-1",
            "label": "Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders",
            "uuid": "03dee2e6-285f-44e4-acc5-2388f62584a5"
        },
        {
            "category": "Supply Chain Risk Management (ID.SC)",
            "code": "1_ID.SC-2",
            "label": "Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process",
            "uuid": "b9d19a14-74ab-46ae-8456-189d1a180dbf"
        },
        {
            "category": "Supply Chain Risk Management (ID.SC)",
            "code": "1_ID.SC-3",
            "label": "Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.",
            "uuid": "1e5aa8d3-b1e9-43e0-9e7e-54bdadac89ea"
        },
        {
            "category": "Supply Chain Risk Management (ID.SC)",
            "code": "1_ID.SC-4",
            "label": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.",
            "uuid": "f6d606f5-9a22-4a53-87c1-ebe36f4fe939"
        },
        {
            "category": "Supply Chain Risk Management (ID.SC)",
            "code": "1_ID.SC-5",
            "label": "Response and recovery planning and testing are conducted with suppliers and third-party providers",
            "uuid": "aa988775-7261-412e-bbee-bfd90db78a59"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-1",
            "label": "Identities and credentials are managed for authorized devices and users",
            "uuid": "a6b301ed-e0c1-467d-8e42-e2796c64b785"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-2",
            "label": "Physical access to assets is managed and protected",
            "uuid": "382fe4f1-9f05-4169-a343-2c961a8cf359"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-3",
            "label": "Remote access is managed",
            "uuid": "7ec8092e-3e41-43e0-a8b2-c42b980dd29b"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-4",
            "label": "Access permissions are managed, incorporating the principles of least privilege and separation of duties",
            "uuid": "8feec5e9-c2b2-465b-8fa3-8b65b6a09fcb"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-5",
            "label": "Network integrity is protected, incorporating network segregation where appropriate",
            "uuid": "800fc6f9-e574-4152-89e6-30bae7da4adc"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-6",
            "label": "Identities are proofed and bound to credentials and asserted in interactions",
            "uuid": "d44d0823-1523-457a-b028-6ea0da3adb34"
        },
        {
            "category": "Access Control (PR.AC)",
            "code": "2_PR.AC-7",
            "label": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)",
            "uuid": "14aab29b-4760-4f32-ad21-06367a8ea05e"
        },
        {
            "category": "Awareness and Training (PR.AT)",
            "code": "2_PR.AT-1",
            "label": "All users are informed and trained",
            "uuid": "01d259f0-ece0-4f7c-91bf-d09844c576cc"
        },
        {
            "category": "Awareness and Training (PR.AT)",
            "code": "2_PR.AT-2",
            "label": "Privileged users understand roles & responsibilities",
            "uuid": "6386d5df-56f8-46ad-b181-e870491004a5"
        },
        {
            "category": "Awareness and Training (PR.AT)",
            "code": "2_PR.AT-3",
            "label": "Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities",
            "uuid": "4879e4fb-cd0e-4968-8dd2-4b6dbe977cdc"
        },
        {
            "category": "Awareness and Training (PR.AT)",
            "code": "2_PR.AT-4",
            "label": "Senior executives understand roles & responsibilities",
            "uuid": "987e9304-80fd-4470-b8b4-213f41a0a957"
        },
        {
            "category": "Awareness and Training (PR.AT)",
            "code": "2_PR.AT-5",
            "label": "Physical and information security personnel understand roles & responsibilities",
            "uuid": "92a81683-1877-48d3-9d5a-c7c0ddd9852b"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-1",
            "label": "Data-at-rest is protected",
            "uuid": "d798a390-f23a-4bbc-abe5-588ab58811c6"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-2",
            "label": "Data-in-transit is protected",
            "uuid": "38022045-6812-4623-8409-7a9d6b3f7ce8"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-3",
            "label": "Assets are formally managed throughout removal, transfers, and disposition",
            "uuid": "acfea27c-c6d5-421a-9ae4-2db82610cc41"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-4",
            "label": "Adequate capacity to ensure availability is maintained",
            "uuid": "e4380999-3c82-4b85-86cd-86f1f37f97ab"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-5",
            "label": "Protections against data leaks are implemented",
            "uuid": "e760c443-e572-43cb-bf5b-8aeb3b42ef65"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-6",
            "label": "Integrity checking mechanisms are used to verify software, firmware, and information integrity",
            "uuid": "e5b116b5-b806-4863-92ba-d8c2f477813b"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-7",
            "label": "The development and testing environment(s) are separate from the production environment",
            "uuid": "6604ef4c-a1d7-43d2-90e4-d2b8d97d880f"
        },
        {
            "category": "Data Security (PR.DS)",
            "code": "2_PR.DS-8",
            "label": "Integrity checking mechanisms are used to verify hardware integrity",
            "uuid": "892d5462-ee77-4379-ab88-a78f3eff45c1"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-1",
            "label": "A baseline configuration of information technology/industrial control systems is created and maintained",
            "uuid": "30a7a092-3e00-4d33-aec2-66d019c2ff03"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-2",
            "label": "A System Development Life Cycle to manage systems is implemented",
            "uuid": "7cd438b8-038b-4f1f-a431-a1a1a83e009c"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-3",
            "label": "Configuration change control processes are in place",
            "uuid": "6f6442e8-952b-4a13-9e97-7c233a7b2a1c"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-4",
            "label": "Backups of information are conducted, maintained, and tested periodically",
            "uuid": "2e411d93-1836-4dbc-baf1-a747d2a9915a"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-5",
            "label": "Policy and regulations regarding the physical operating environment for organizational assets are met",
            "uuid": "f01b50b8-0e54-4f8f-afee-0ec56f788a42"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-6",
            "label": "Data is destroyed according to policy",
            "uuid": "0fd12bc3-c80d-4baa-bc1b-a7fbfb152f86"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-7",
            "label": "Protection processes are continuously improved",
            "uuid": "bb1c6655-a3fc-4d43-8e1b-50f5e418c1aa"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-8",
            "label": "Effectiveness of protection technologies is shared with appropriate parties",
            "uuid": "ac4be007-d8cb-4da5-9a84-118c2841a6f5"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-9",
            "label": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed",
            "uuid": "4fe097cd-e0c0-4698-a209-43ffb553a279"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-10",
            "label": "Response and recovery plans are tested",
            "uuid": "e4f85702-5874-4361-beec-45d00b379c5b"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-11",
            "label": "Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)",
            "uuid": "4279b240-b560-4632-a557-9af1322930fd"
        },
        {
            "category": "Information Protection Processes and Procedures (PR.IP)",
            "code": "2_PR.IP-12",
            "label": "A vulnerability management plan is developed and implemented",
            "uuid": "48d2b0ff-ebc0-445b-8f20-3ae47d43242c"
        },
        {
            "category": "Maintenance (PR.MA)",
            "code": "2_PR.MA-1",
            "label": "Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools",
            "uuid": "6da92eea-2f74-458f-a643-361df7ea9f2f"
        },
        {
            "category": "Maintenance (PR.MA)",
            "code": "2_PR.MA-2",
            "label": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access",
            "uuid": "831f20de-eadb-44a7-82f3-fcb116d8cb69"
        },
        {
            "category": "Protective Technology (PR.PT)",
            "code": "2_PR.PT-1",
            "label": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy",
            "uuid": "3dcdd5d1-48e8-4b66-8567-65e0f0c8be4a"
        },
        {
            "category": "Protective Technology (PR.PT)",
            "code": "2_PR.PT-2",
            "label": "Removable media is protected and its use restricted according to policy",
            "uuid": "0f278ef8-3a97-4e0e-bc30-66d530bdea47"
        },
        {
            "category": "Protective Technology (PR.PT)",
            "code": "2_PR.PT-3",
            "label": "Access to systems and assets is controlled, incorporating the principle of least functionality",
            "uuid": "02cc6244-c9d8-4db1-aeb3-a05933207c9d"
        },
        {
            "category": "Protective Technology (PR.PT)",
            "code": "2_PR.PT-4",
            "label": "Communications and control networks are protected",
            "uuid": "6b2a7cc7-c35a-4020-92d8-5935e1229676"
        },
        {
            "category": "Protective Technology (PR.PT)",
            "code": "2_PR.PT-5",
            "label": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations",
            "uuid": "3e3e542a-67b2-4a77-b09b-9dc9b977cd8e"
        },
        {
            "category": "Anomalies and Events (DE.AE)",
            "code": "3_DE.AE-1",
            "label": "A baseline of network operations and expected data flows for users and systems is established and managed",
            "uuid": "24ac8920-3747-45bb-b9d1-1ca0d1d84d3f"
        },
        {
            "category": "Anomalies and Events (DE.AE)",
            "code": "3_DE.AE-2",
            "label": "Detected events are analyzed to understand attack targets and methods",
            "uuid": "69f50c12-9eab-4305-be4f-97a2002ccc0c"
        },
        {
            "category": "Anomalies and Events (DE.AE)",
            "code": "3_DE.AE-3",
            "label": "Event data are aggregated and correlated from multiple sources and sensors",
            "uuid": "31dc508e-664e-4173-8757-00ec985115c8"
        },
        {
            "category": "Anomalies and Events (DE.AE)",
            "code": "3_DE.AE-4",
            "label": "Impact of events is determined",
            "uuid": "3f6e72ed-2984-452d-badd-5563acbf0450"
        },
        {
            "category": "Anomalies and Events (DE.AE)",
            "code": "3_DE.AE-5",
            "label": "Incident alert thresholds are established",
            "uuid": "52d551ef-7334-45a3-9dd7-0b8d239ba1f6"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-1",
            "label": "The network is monitored to detect potential cybersecurity events",
            "uuid": "9b355a55-73ce-4d55-8016-d93e3c555a55"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-2",
            "label": "The physical environment is monitored to detect potential cybersecurity events",
            "uuid": "dec6cf8c-1714-45f4-bfd2-23a049fb9b35"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-3",
            "label": "Personnel activity is monitored to detect potential cybersecurity events",
            "uuid": "a8f83595-0327-4e24-9557-0e8d9b82856f"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-4",
            "label": "Malicious code is detected",
            "uuid": "70e202bf-2270-4daf-8fb5-4f6fb10de979"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-5",
            "label": "Unauthorized mobile code is detected",
            "uuid": "54eeaae4-2b82-43ce-9a61-40d453116d8d"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-6",
            "label": "External service provider activity is monitored to detect potential cybersecurity events",
            "uuid": "bbb99e89-ee33-46fc-bc03-1582631210c4"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-7",
            "label": "Monitoring for unauthorized personnel, connections, devices, and software is performed",
            "uuid": "e4f36efd-2e64-4ee8-9fd1-af2bec0b68d0"
        },
        {
            "category": "Security Continuous Monitoring (DE.CM)",
            "code": "3_DE.CM-8",
            "label": "Vulnerability scans are performed",
            "uuid": "ebc0b0f8-4403-481f-be4a-7f35ae3cb6be"
        },
        {
            "category": "Detection Processes (DE.DP)",
            "code": "3_DE.DP-1",
            "label": "Roles and responsibilities for detection are well defined to ensure accountability",
            "uuid": "48a13f85-a811-43fa-a0e8-89f67fb2743f"
        },
        {
            "category": "Detection Processes (DE.DP)",
            "code": "3_DE.DP-2",
            "label": "Detection activities comply with all applicable requirements",
            "uuid": "f9d1a926-5d39-4123-8b83-a94c21ff18e5"
        },
        {
            "category": "Detection Processes (DE.DP)",
            "code": "3_DE.DP-3",
            "label": "Detection processes are tested",
            "uuid": "23e4c883-c358-4b64-8d7e-249c67b7f1f2"
        },
        {
            "category": "Detection Processes (DE.DP)",
            "code": "3_DE.DP-4",
            "label": "Event detection information is communicated to appropriate parties",
            "uuid": "025611cb-8431-4a9c-a88c-039141472418"
        },
        {
            "category": "Detection Processes (DE.DP)",
            "code": "3_DE.DP-5",
            "label": "Detection processes are continuously improved",
            "uuid": "ad0458f2-c836-4c7d-9d8f-6333fc6af2e9"
        },
        {
            "category": "Response Planning (RS.RP)",
            "code": "4_RS.RP-1",
            "label": "Response plan is executed during or after an event",
            "uuid": "b237b4b1-a21a-4122-b4c8-e068ad58ef21"
        },
        {
            "category": "Communications (RS.CO)",
            "code": "4_RS.CO-1",
            "label": "Personnel know their roles and order of operations when a response is needed",
            "uuid": "cce52cf2-aa85-4f33-8cb8-b0508f452c25"
        },
        {
            "category": "Communications (RS.CO)",
            "code": "4_RS.CO-2",
            "label": "Events are reported consistent with established criteria",
            "uuid": "30ff804b-d8e2-44da-a49e-bb1a39e5f81a"
        },
        {
            "category": "Communications (RS.CO)",
            "code": "4_RS.CO-3",
            "label": "Information is shared consistent with response plans",
            "uuid": "2d88bd60-ff72-40cc-a2b4-ae7c9cbd2a68"
        },
        {
            "category": "Communications (RS.CO)",
            "code": "4_RS.CO-4",
            "label": "Coordination with stakeholders occurs consistent with response plans",
            "uuid": "34a2e449-b69d-4f75-a548-8c5faee598b5"
        },
        {
            "category": "Communications (RS.CO)",
            "code": "4_RS.CO-5",
            "label": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness",
            "uuid": "bb37f7e5-ff5d-4b9a-a621-dfb26f3fccaf"
        },
        {
            "category": "Analysis (RS.AN)",
            "code": "4_RS.AN-1",
            "label": "Notifications from detection systems are investigated",
            "uuid": "e6ab0d96-2ced-445d-a19f-97710b2cc346"
        },
        {
            "category": "Analysis (RS.AN)",
            "code": "4_RS.AN-2",
            "label": "The impact of the incident is understood",
            "uuid": "0c7c3558-9c78-4bcc-816b-9123c899b653"
        },
        {
            "category": "Analysis (RS.AN)",
            "code": "4_RS.AN-3",
            "label": "Forensics are performed",
            "uuid": "cf3d3d41-f0d5-4eb9-b6c5-537d72ea645a"
        },
        {
            "category": "Analysis (RS.AN)",
            "code": "4_RS.AN-4",
            "label": "Incidents are categorized consistent with response plans",
            "uuid": "1ea30a61-92f4-4ae0-a349-3f947bf0dc94"
        },
        {
            "category": "Analysis (RS.AN)",
            "code": "4_RS.AN-5",
            "label": "Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)",
            "uuid": "83c3ab70-566c-4bbe-a3b8-940d9fbb5ad7"
        },
        {
            "category": "Mitigation (RS.MI)",
            "code": "4_RS.MI-1",
            "label": "Incidents are contained",
            "uuid": "2736e702-38ef-439d-9e8b-989ef56f8735"
        },
        {
            "category": "Mitigation (RS.MI)",
            "code": "4_RS.MI-2",
            "label": "Incidents are mitigated",
            "uuid": "e94941eb-31da-40e0-b944-07c43233e7c0"
        },
        {
            "category": "Mitigation (RS.MI)",
            "code": "4_RS.MI-3",
            "label": "Newly identified vulnerabilities are mitigated or documented as accepted risks",
            "uuid": "0de24c0a-53cb-4481-9b8d-fccc252e4f03"
        },
        {
            "category": "Improvements (RS.IM)",
            "code": "4_RS.IM-1",
            "label": "Response plans incorporate lessons learned",
            "uuid": "01314572-becc-4780-945f-9ed3a40af900"
        },
        {
            "category": "Improvements (RS.IM)",
            "code": "4_RS.IM-2",
            "label": "Response strategies are updated",
            "uuid": "f0753789-bcc3-4f66-9bb5-b6179bb367de"
        },
        {
            "category": "Recovery Planning (RC.RP)",
            "code": "5_RC.RP-1",
            "label": "Recovery plan is executed during or after an event",
            "uuid": "0d124100-372e-429b-9e2f-d12211f005e1"
        },
        {
            "category": "Improvements (RC.IM)",
            "code": "5_RC.IM-1",
            "label": "Recovery plans incorporate lessons learned",
            "uuid": "52ab8937-c260-4cf3-a807-ce1381afa4c9"
        },
        {
            "category": "Improvements (RC.IM)",
            "code": "5_RC.IM-2",
            "label": "Recovery strategies are updated",
            "uuid": "421b5608-0f1d-4de5-b646-ff9538f8493f"
        },
        {
            "category": "Communications (RC.CO)",
            "code": "5_RC.CO-1",
            "label": "Public relations are managed",
            "uuid": "771e3059-9eb4-4313-94b4-f0e8fa102498"
        },
        {
            "category": "Communications (RC.CO)",
            "code": "5_RC.CO-2",
            "label": "Reputation after an event is repaired",
            "uuid": "ecde2384-2cdb-46cc-9a15-37ea9ee175ee"
        },
        {
            "category": "Communications (RC.CO)",
            "code": "5_RC.CO-3",
            "label": "Recovery activities are communicated to internal stakeholders and executive and management teams",
            "uuid": "c8de5e1f-7893-42b3-852d-fa4f79bc68fa"
        }
    ],
    "refs": [
        "https://www.nist.gov/cyberframework/framework"
    ],
    "uuid": "fcf78560-3d12-42ba-8f4a-5761ca02ac94",
    "version": "1.1"
}