NIST Cybersecurity Framework (CSF) 2.0 to SFIA v9 Skills Mapping
NIST CSF to SFIA skills mapping to identify the SFIA skills that are relevant to the CSF outcomes
Registered users can download a pdf version : Download the NIST Cybersecurity Framework (CSF) 2.0 to SFIA v9 Skills Mapping pdf document . Registration is free, and provides access to this pdf and a range of valuable documents.
Using the NIST CSF 2.0 to SFIA Mapping
The mapping provides detailed skill alignments for each NIST CSF 2.0 outcome and subcategory. For each CSF function (Govern, Identify, Protect, Detect, Respond, Recover), the mapping identifies:
- Illustrative SFIA levels of responsibility for the overall outcome – indicating the typical seniority and autonomy required
- Specific SFIA skills relevant to each subcategory – showing which professional competencies are needed
- Typical participation patterns across organisational levels – clarifying who should be involved and at what level
These illustrative levels reflect common patterns but should be adapted to your organisation's size, structure and maturity context. A small organisation may require individuals to work at higher levels across multiple skills, while larger organisations can distribute responsibilities more widely.
This granular mapping supports organisations in translating their CSF implementation objectives directly into workforce capability requirements, supporting precise job design, skills assessment, learning and development planning, and vendor evaluation. It moves workforce planning from generic assumptions to evidence-based decisions grounded in the specific outcomes your organisation needs to achieve.
For more details download the pdf and/or see the companion document Maturity Modelling, NIST CSF and SFIA.
Govern (GV): The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
NIST CSF Outcome: The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organisation's cyber security risk management decisions are understood
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 6-7 Who: Executive leadership and senior management establish and communicate organizational mission, stakeholder needs, and dependencies Why this level: Requires enterprise-wide influence, understanding of strategic objectives, and authority to define how cybersecurity aligns with organizational mission Key activities: |
Levels 3-7 L6-7: Set strategic direction, accountable for stakeholder relationships L4-5: Analyze stakeholder needs, coordinate across functions, provide authoritative advice on dependencies L3: Document requirements, gather stakeholder input, support compliance activities |
| Rationale: Understanding organizational context is fundamentally a strategic governance activity requiring senior leadership perspective, though implementation involves all levels. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| The organisational mission is understood and informs cyber security risk management | GV.OC-01 | Ex1: Share the organisation's mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission |
Technology service management ITMG |
| Internal and external stakeholders are understood, and their needs and expectations regarding cyber security risk management are understood and considered | GV.OC-02 | Ex1: Identify relevant internal stakeholders and their cyber security-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees) Ex2: Identify relevant external stakeholders and their cyber security-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society) |
|
| Legal, regulatory, and contractual requirements regarding cyber security - including privacy and civil liberties obligations - are understood and managed | GV.OC-03 | Ex1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals' information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation) Ex2: Determine a process to track and manage contractual requirements for cyber security management of supplier, customer, and partner informational Ex3: Align the organisation's cyber security strategy with legal, regulatory, and contractual requirements |
Organisational change enablement OCEN |
| Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organisation are understood and communicated | GV.OC-04 | Ex1: Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders Ex2: Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations Ex3: Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation) |
Stakeholder relationship management RLMT |
| Outcomes, capabilities, and services that the organisation depends on are understood and communicated | GV.OC-05 | Ex1: Create an inventory of the organisation's dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organisational assets and business functions Ex2: Identify and document external dependencies that are potential points of failure for the organisation's critical capabilities and services, and share that information with appropriate personnel |
Business situation analysis BUSA |
NIST CSF Outcome: The organisation's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 6-7 Who: Executive leadership defines risk appetite and tolerance; senior management ensures integration with enterprise risk management Why this level: Risk appetite is a board/executive decision; requires authority to make strategic risk decisions affecting the entire organization Key activities: |
Levels 3-7 L6-7: Define and approve risk appetite, strategic direction L4-5: Develop risk management frameworks and methods, provide expert guidance on risk prioritization, ensure implementation L2-3: Apply risk assessment methods, document and categorize risks, support risk analysis |
| Rationale: Strategic risk decisions sit at executive level, but operational risk management requires significant capability at L4-5 to develop methods and ensure consistent application. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Risk management objectives are established and agreed to by organisational stakeholders | GV.RM-01 | Ex1: Update near-term and long-term cyber security risk management objectives as part of annual strategic planning and when major changes occur Ex2: Establish measurable objectives for cyber security risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems) Ex3: Senior leaders agree about cyber security objectives and use them for measuring and managing risk and performance |
|
| Risk appetite and risk tolerance statements are established, communicated, and maintained | GV.RM-02 | Ex1: Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organisation Ex2: Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements Ex3: Refine organisational objectives and risk appetite periodically based on known risk exposure and residual risk |
|
| Cyber security risk management activities and outcomes are included in enterprise risk management processes | GV.RM-03 | Ex1: Aggregate and manage cyber security risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety) Ex2: Include cyber security risk managers in enterprise risk management planning Ex3: Establish criteria for escalating cyber security risks within enterprise risk management |
|
| Strategic direction that describes appropriate risk response options is established and communicated | GV.RM-04 | Ex1: Specify criteria for accepting and avoiding cyber security risk for various classifications of data Ex2: Determine whether to purchase cyber security insurance Ex3: Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cyber security functions, having a third party perform financial transactions on behalf of the organisation, using public cloud-based services) |
|
| Lines of communication across the organisation are established for cyber security risks, including risks from suppliers and other third parties | GV.RM-05 | Ex1: Determine how to update senior executives, directors, and management on the organisation's cyber security posture at agreed-upon intervals Ex2: Identify how all departments across the organisation - such as management, operations, internal auditors, legal, acquisition, physical security, and HR - will communicate with each other about cyber security risks |
|
| A standarised method for calculating, documenting, categorising, and prioritising cyber security risks is established and communicated | GV.RM-06 | Ex1: Establish criteria for using a quantitative approach to cyber security risk analysis, and specify probability and exposure formulas Ex2: Create and use templates (e.g., a risk register) to document cyber security risk information (e.g., risk description, exposure, treatment, and ownership) Ex3: Establish criteria for risk prioritisation at the appropriate levels within the enterprise Ex4: Use a consistent list of risk categories to support integrating, aggregating, and comparing cyber security risks |
|
| Strategic opportunities (i.e., positive risks) are characterised and are included in organisational cyber security risk discussions | GV.RM-07 | Ex1: Define and communicate guidance and methods for identifying opportunities and including them in risk discussions (e.g., strengths, weaknesses, opportunities, and threats [SWOT] analysis) Ex2: Identify stretch goals and document them Ex3: Calculate, document, and prioritise positive risks alongside negative risks |
NIST CSF Outcome: cyber security roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 6-7 Who: Organizational leadership establishes roles, allocates resources, and fosters risk-aware culture Why this level: Requires authority to define organizational structure, allocate resources, and hold leaders accountable Key activities: |
Levels 4-7 L6-7: Define and approve roles, allocate resources, establish culture L4-5: Operationalize role definitions, manage resource allocation within scope, support organizational development |
| Rationale: Organizational design and resource allocation are executive/senior management responsibilities. This is primarily a leadership/management activity; L1-3 participation is minimal. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Organisational leadership is responsible and accountable for cyber security risk and fosters a culture that is risk-aware, ethical, and continually improving | GV.RR-01 | Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organisation's cyber security strategy Ex2: Share leaders' expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cyber security risk management Ex3: Leaders direct the CISO to maintain a comprehensive cyber security risk strategy and review and update it at least annually and after major events Ex4: Conduct reviews to ensure adequate authority and coordination among those responsible for managing cyber security risk |
Learning and development management ETMG |
| Roles, responsibilities, and authorities related to cyber security risk management are established, communicated, understood, and enforced | GV.RR-02 | Ex1: Document risk management roles and responsibilities in policy Ex2: Document who is responsible and accountable for cyber security risk management activities and how those teams and individuals are to be consulted and informed Ex3: Include cyber security responsibilities and performance requirements in personnel descriptions Ex4: Document performance goals for personnel with cyber security risk management responsibilities, and periodically measure performance to identify areas for improvement Ex5: Clearly articulate cyber security responsibilities within operations, risk functions, and internal audit functions |
|
| Adequate resources are allocated commensurate with the cyber security risk strategy, roles, responsibilities, and policies | GV.RR-03 | Ex1: Conduct periodic management reviews to ensure that those given cyber security risk management responsibilities have the necessary authority Ex2: Identify resource allocation and investment in line with risk tolerance and response Ex3: Provide adequate and sufficient people, process, and technical resources to support the cyber security strategy |
|
| Cyber security is included in human resources practices | GV.RR-04 | Ex1: Integrate cyber security risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding) Ex2: Consider cyber security knowledge to be a positive factor in hiring, training, and retention decisions Ex3: Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles Ex4: Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles |
Learning and development management ETMG Organisational capability development OCDV |
NIST CSF Outcome: organisational cyber security policy is established, communicated, and enforced
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 6-7 Who: Executive leadership and senior management establish, communicate, and enforce cybersecurity policies Why this level: Requires authority to establish organizational policies, ensure compliance, and make policy decisions affecting the entire organization Key activities: |
Levels 3-7 L6-7: Establish and approve policies, ensure enforcement L4-5: Develop policy content, provide expert guidance on policy requirements, support implementation L3: Document policy requirements, support policy communication, assist with compliance monitoring |
| Rationale: Policy establishment is an executive governance function, though technical experts at L4-5 contribute significantly to policy content and implementation guidance. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Policy for managing cyber security risks is established based on organisational context, cyber security strategy, and priorities and is communicated and enforced | GV.PO-01 | Ex1: Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction Ex2: Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cyber security policy Ex3: Require approval from senior management on policy Ex4: Communicate cyber security risk management policy and supporting processes and procedures across the organisation Ex5: Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated |
|
| Policy for managing cyber security risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organisational mission | GV.PO-02 | Ex1: Update policy based on periodic reviews of cyber security risk management results to ensure that policy and supporting processes and procedures adequately maintain risk at an acceptable level Ex2: Provide a timeline for reviewing changes to the organisation's risk environment (e.g., changes in risk or in the organisation's mission objectives), and communicate recommended policy updates Ex3: Update policy to reflect changes in legal and regulatory requirements Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial intelligence) and changes to the business (e.g., acquisition of a new business, new contract requirements) |
Stakeholder relationship management RLMT |
NIST CSF Outcome: Results of organisation-wide cyber security risk management activities and performance are used to inform, improve, and adjust the risk management strategy
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 6-7 Who: Senior management reviews cybersecurity risk management performance and adjusts strategy Why this level: Requires authority to evaluate organization-wide performance, make strategic adjustments, and hold functions accountable Key activities: |
Levels 4-7 L6-7: Review and adjust strategy, evaluate organizational performance L4-5: Provide performance data and analysis, support strategy reviews, recommend adjustments |
| Rationale: Strategic oversight and performance evaluation are senior management responsibilities requiring organizational authority and accountability. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Cyber security risk management strategy outcomes are reviewed to inform and adjust strategy and direction | GV.OV-01 | Ex1: Measure how well the risk management strategy and risk results have helped leaders make decisions and achieve organisational objectives Ex2: Examine whether cyber security risk strategies that impede operations or innovation should be adjusted |
|
| The cyber security risk management strategy is reviewed and adjusted to ensure coverage of organisational requirements and risks | GV.OV-02 | Ex1: Review audit findings to confirm whether the existing cyber security strategy has ensured compliance with internal and external requirements Ex2: Review the performance oversight of those in cyber security-related roles to determine whether policy changes are necessary Ex3: Review strategy in light of cyber security incidents |
|
| Organisational cyber security risk management performance is evaluated and reviewed for adjustments needed | GV.OV-03 | Ex1: Review key performance indicators (KPIs) to ensure that organisation-wide policies and procedures achieve objectives Ex2: Review key risk indicators (KRIs) to identify risks the organisation faces, including likelihood and potential impact Ex3: Collect and communicate metrics on cyber security risk management with senior leadership |
NIST CSF Outcome: Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organisational stakeholders
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 5-6 Who: Senior management establishes programs and ensures supplier relationships are managed according to risk Why this level: Requires organizational influence to coordinate across procurement, legal, and technology functions; significant accountability but typically delegated from executive level Key activities: |
Levels 3-6 L6: Establish program, shape policies, ensure integration L4-5: Manage supplier relationships, conduct due diligence, provide authoritative guidance on supplier risks L3: Perform supplier assessments, document risks, support contract reviews |
| Rationale: Supply chain risk management is operationally complex and requires senior management oversight, but doesn't always require C-suite involvement unless strategic suppliers are involved. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| A cyber security supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organisational stakeholders | GV.SC-01 | Ex1: Establish a strategy that expresses the objectives of the cyber security supply chain risk management program Ex2: Develop the cyber security supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the policies and procedures with the organisational stakeholders Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organisational stakeholders Ex4: Establish a cross-organisational mechanism that ensures alignment between functions that contribute to cyber security supply chain risk management, such as cyber security, IT, operations, legal, human resources, and engineering |
|
| Cyber security roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | GV.SC-02 | Ex1: Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cyber security supply chain risk management activities Ex2: Document cyber security supply chain risk management roles and responsibilities in policy Ex3: Create responsibility matrixes to document who will be responsible and accountable for cyber security supply chain risk management activities and how those teams and individuals will be consulted and informed Ex4: Include cyber security supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability Ex5: Document performance goals for personnel with cyber security risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cyber security risks, and integrate them into organisational policies and applicable third-party agreements Ex7: Internally communicate cyber security supply chain risk management roles and responsibilities for third parties Ex8: Establish rules and protocols for information sharing and reporting processes between the organisation and its suppliers |
|
| Cyber security supply chain risk management is integrated into cyber security and enterprise risk management, risk assessment, and improvement processes | GV.SC-03 | Ex1: Identify areas of alignment and overlap with cyber security and enterprise risk management Ex2: Establish integrated control sets for cyber security risk management and cyber security supply chain risk management Ex3: Integrate cyber security supply chain risk management into improvement processes Ex4: Escalate material cyber security risks in supply chains to senior management, and address them at the enterprise risk management level |
|
| Suppliers are known and prioritised by criticality | GV.SC-04 | Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organisation's systems, and the importance of the products or services to the organisation's mission Ex2: Keep a record of all suppliers, and prioritise suppliers based on the criticality criteria |
|
| Requirements to address cyber security risks in supply chains are established, prioritised, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | GV.SC-05 | Ex1: Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised Ex2: Include all cyber security and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language Ex3: Define the rules and protocols for information sharing between the organisation and its suppliers and sub-tier suppliers in agreements Ex4: Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised Ex5: Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle Ex6: Contractually require suppliers to disclose cyber security features, functions, and vulnerabilities of their products and services for the life of the product or the term of service Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products Ex8: Contractually require suppliers to vet their employees and guard against insider threats Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections Ex10: Specify in contracts and other agreements the rights and responsibilities of the organisation, its suppliers, and their supply chains, with respect to potential cyber security risks |
|
| Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | GV.SC-06 | Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship Ex2: Assess the suitability of the technology and cyber security capabilities and the risk management practices of prospective suppliers Ex3: Conduct supplier risk assessments against business and applicable cyber security requirements Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use |
|
| The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritised, assessed, responded to, and monitored over the course of the relationship | GV.SC-07 | Ex1: Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide Ex2: Evaluate third parties' evidence of compliance with contractual cyber security requirements, such as self-attestations, warranties, certifications, and other artifacts Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity |
|
| Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | GV.SC-08 | Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organisation and its suppliers Ex2: Identify and document the roles and responsibilities of the organisation and its suppliers for incident response Ex3: Include critical suppliers in incident response exercises and simulations Ex4: Define and coordinate crisis communication methods and protocols between the organisation and its critical suppliers Ex5: Conduct collaborative lessons learned sessions with critical suppliers |
|
| Supply chain security practices are integrated into cyber security and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | GV.SC-09 | Ex1: Policies and procedures require provenance records for all acquired technology products and services Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic Ex3: Communicate regularly among cyber security risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorised changes |
|
| Cyber security supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | GV.SC-10 | Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence Ex3: Verify that supplier access to organisation resources is deactivated promptly when it is no longer needed Ex4: Verify that assets containing the organisation's data are returned or properly disposed of in a timely, controlled, and safe manner Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account Ex6: Mitigate risks to data and systems created by supplier termination Ex7: Manage data leakage risks associated with supplier termination |
Identify (ID): The organization's current cybersecurity risks are understood.
NIST CSF Outcome: Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation's risk strategy
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Team leads and managers ensure asset inventories are maintained and assets are prioritized appropriately Why this level: Operational management responsibility requiring technical expertise and coordination across teams, but typically not requiring executive-level decisions Key activities: |
Levels 2-5 L4-5: Accountable for inventory completeness, classification schemes, lifecycle management L3: Maintain asset inventories, document data flows, classify assets L2: Assist with asset discovery, update inventory records |
| Rationale: Asset management is a technical/operational discipline requiring expert oversight but rarely requiring strategic executive involvement. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Inventories of hardware managed by the organisation are maintained | ID.AM-01 | Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, and mobile devices Ex2: Constantly monitor networks to detect new hardware and automatically update inventories |
|
| Inventories of software, services, and systems managed by the organisation are maintained | ID.AM-02 | Ex1: Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services Ex2: Constantly monitor all platforms, including containers and virtual machines, for software and service inventory changes Ex3: Maintain an inventory of the organisation's systems |
|
| Representations of the organisation's authorised network communication ands internal and external network data flows are maintained | ID.AM-03 | Ex1: Maintain baselines of communication and data flows within the organisation's wired and wireless networks Ex2: Maintain baselines of communication and data flows between the organisation and third parties Ex3: Maintain baselines of communication and data flows for the organisation's infrastructure-as-a-service (IaaS) usage Ex4: Maintain documentation of expected network ports, protocols, and services that are typically used among authorised systems |
|
| Inventories of services provided by suppliers are maintained | ID.AM-04 | Ex1: Inventory all external services used by the organisation, including third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally hosted application services Ex2: Update the inventory when a new external service is going to be utilised to ensure adequate cyber security risk management monitoring of the organisation's use of that service |
|
| Assets are prioritised based on classification, criticality, resources, and impact on the mission | ID.AM-05 | Ex1: Define criteria for prioritising each class of assets Ex2: Apply the prioritisation criteria to assets Ex3: Track the asset priorities and update them periodically or when significant changes to the organisation occur |
|
| Inventories of data and corresponding metadata for designated data types are maintained | ID.AM-07 | Ex1: Maintain a list of the designated data types of interest (e.g., personally identifiable information, protected health information, financial account numbers, organisation intellectual property, operational technology data) Ex2: Continuously discover and analyse ad hoc data to identify new instances of designated data types Ex3: Assign data classifications to designated data types through tags or labels Ex4: Track the provenance, data owner, and geolocation of each instance of designated data types |
|
| Systems, hardware, software, services, and data are managed throughout their life cycles | ID.AM-08 | Ex1: Integrate cyber security considerations throughout the life cycles of systems, hardware, software, and services Ex2: Integrate cyber security considerations into product life cycles Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT) Ex4: Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organisation's attack surface Ex5: Properly configure and secure systems, hardware, software, and services prior to their deployment in production Ex6: Update inventories when systems, hardware, software, and services are moved or transferred within the organisation Ex7: Securely destroy stored data based on the organisation's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions Ex8: Securely sanitise data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement Ex9: Offer methods for destroying paper, storage media, and other physical forms of data storage |
Systems installation and removal HSIN Infrastructure operations ITOP Systems development management DLMG |
NIST CSF Outcome: The cyber security risk to the organisation, assets, and individuals is understood by the organisation
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Security professionals and risk managers conduct assessments, prioritize responses, and provide authoritative guidance Why this level: Requires deep technical expertise and judgment to assess threats/vulnerabilities, accountable for risk analysis quality Key activities: |
Levels 2-6 L6: Reviews risk assessment outcomes, makes decisions on significant risks L4-5: Lead risk assessments, interpret threat intelligence, determine risk priorities, advise on responses L2-3: Conduct vulnerability scans, document findings, support threat analysis |
| Rationale: Risk assessment is a technical discipline requiring L4-5 expertise, with L6 involvement for strategic risk decisions. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Vulnerabilities in assets are identified, validated, and recorded | ID.RA-01 | Ex1: Use vulnerability management technologies to identify unpatched and misconfigured software Ex2: Assess network and system architectures for design and implementation weaknesses that affect cyber security Ex3: Review, analyse, or test organisation-developed software to identify design, coding, and default configuration vulnerabilities Ex4: Assess facilities that house critical computing assets for physical vulnerabilities and resilience issues Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities in products and services Ex6: Review processes and procedures for weaknesses that could be exploited to affect cyber security |
|
| Cyber threat intelligence is received from information sharing forums and sources | ID.RA-02 | Ex1: Configure cyber security tools and technologies with detection or response capabilities to securely ingest cyber threat intelligence feeds Ex2: Receive and review advisories from reputable third parties on current threat actors and their tactics, techniques, and procedures (TTPs) Ex3: Monitor sources of cyber threat intelligence for information on the types of vulnerabilities that emerging technologies may have |
|
| Internal and external threats to the organisation are identified and recorded | ID.RA-03 | Ex1: Use cyber threat intelligence to maintain awareness of the types of threat actors likely to target the organisation and the TTPs they are likely to use Ex2: Perform threat hunting to look for signs of threat actors within the environment Ex3: Implement processes for identifying internal threat actors |
|
| Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | ID.RA-04 | Ex1: Business leaders and cyber security risk management practitioners work together to estimate the likelihood and impact of risk scenarios and record them in risk registers Ex2: Enumerate the potential business impacts of unauthorised access to the organisation's communications, systems, and data processed in or by those systems Ex3: Account for the potential impacts of cascading failures for systems of systems |
|
| Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritisation | ID.RA-05 | Ex1: Develop threat models to better understand risks to the data and identify appropriate risk responses Ex2: prioritise cyber security resource allocations and investments based on estimated likelihoods and impacts |
|
| Risk responses are chosen, prioritised, planned, tracked, and communicated | ID.RA-06 | Ex1: Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk Ex2: Apply the vulnerability management plan's criteria for selecting compensating controls to mitigate risk Ex3: Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report) Ex4: Use risk assessment findings to inform risk response decisions and actions Ex5: Communicate planned risk responses to affected stakeholders in priority order |
|
| Changes and exceptions are managed, assessed for risk impact, recorded, and tracked | ID.RA-07 | Ex1: Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions Ex2: Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes Ex3: Document the risks related to each requested exception and the plan for responding to those risks Ex4: Periodically review risks that were accepted based upon planned future actions or milestones |
|
| Processes for receiving, analysing, and responding to vulnerability disclosures are established | ID.RA-08 | Ex1: Conduct vulnerability information sharing between the organisation and its suppliers following the rules and protocols defined in contracts Ex2: Assign responsibilities and verify the execution of procedures for processing, analysing the impact of, and responding to cyber security threat, vulnerability, or incident disclosures by suppliers, customers, partners, and government cyber security organisations |
|
| The authenticity and integrity of hardware and software are assessed prior to acquisition and use | ID.RA-09 | Ex1: Assess the authenticity and cyber security of critical technology products and services prior to acquisition and use | |
| Critical suppliers are assessed prior to acquisition | ID.RA-10 | Ex1: Conduct supplier risk assessments against business and applicable cyber security requirements, including the supply chain |
NIST CSF Outcome: Improvements to organisational cyber security risk management processes, procedures and activities are identified across all CSF Functions
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Security managers and senior practitioners identify and implement improvements across cybersecurity processes Why this level: Requires expertise to evaluate effectiveness, identify improvement opportunities, and ensure implementation across the organization Key activities: |
Levels 2-6 L6: Approves significant improvement initiatives, allocates resources L4-5: Lead improvement identification, coordinate implementation, measure effectiveness L2-3: Execute improvements, document outcomes, support testing and evaluation |
| Rationale: Continuous improvement requires operational management capability to identify, coordinate, and implement changes effectively. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Improvements are identified from evaluations | ID.IM-01 | Ex1: Perform self-assessments of critical services that take current threats and TTPs into consideration Ex2: Invest in third-party assessments or independent audits of the effectiveness of the organisation's cyber security program to identify areas that need improvement Ex3: Constantly evaluate compliance with selected cyber security requirements through automated means |
|
| Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | ID.IM-02 | Ex1: Identify improvements for future incident response activities based on findings from incident response assessments (e.g., tabletop exercises and simulations, tests, internal reviews, independent audits) Ex2: Identify improvements for future business continuity, disaster recovery, and incident response activities based on exercises performed in coordination with critical service providers and product suppliers Ex3: Involve internal stakeholders (e.g., senior executives, legal department, HR) in security tests and exercises as appropriate Ex4: Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership Ex5: Exercise contingency plans for responding to and recovering from the discovery that products or services did not originate with the contracted supplier or partner or were altered before receipt Ex6: Collect and analyse performance metrics using security tools and services to inform improvements to the cyber security program |
Business process improvement BPRE |
| Improvements are identified from execution of operational processes, procedures, and activities | ID.IM-03 | Ex1: Conduct collaborative lessons learned sessions with suppliers Ex2: Annually review cyber security policies, processes, and procedures to take lessons learned into account Ex3: Use metrics to assess operational cyber security performance over time |
Business situation analysis BUSA Stakeholder relationship management RLMT |
| Incident response plans and other cyber security plans that affect operations are established, communicated, maintained, and improved | ID.IM-04 | Ex1: Establish contingency plans (e.g., incident response, business continuity, disaster recovery) for responding to and recovering from adverse events that can interfere with operations, expose confidential information, or otherwise endanger the organisation's mission and viability Ex2: Include contact and communication information, processes for handling common scenarios, and criteria for prioritisation, escalation, and elevation in all contingency plans Ex3: Create a vulnerability management plan to identify and assess all types of vulnerabilities and to prioritise, test, and implement risk responses Ex4: Communicate cyber security plans (including updates) to those responsible for carrying them out and to affected parties Ex5: Review and update all cyber security plans annually or when a need for significant improvements is identified |
Stakeholder relationship management RLMT |
Protect (PR): Safeguards to manage the organization's cybersecurity risks are used.
NIST CSF Outcome: Access to physical and logical assets is limited to authorised users, services, and hardware and managed commensurate with the assessed risk of unauthorised access
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Identity and access management specialists and security architects ensure appropriate controls are implemented Why this level: Requires technical expertise in identity systems and access controls, accountable for control effectiveness and security Key activities: |
Levels 2-6 L6: Approves access control policies and standards L4-5: Design and ensure implementation of identity/access controls, provide technical leadership L2-3: Implement controls, manage user accounts, review access permissions |
| Rationale: Identity and access management requires strong technical capability at L4-5, with L6 accountability for policy and risk acceptance decisions. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Identities and credentials for authorised users, services, and hardware are managed by the organisation | PR.AA-01 | Ex1: Initiate requests for new access or additional access for employees, contractors, and others, and track, review, and fulfill the requests, with permission from system or data owners when needed Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, cryptographic keys (i.e., key management), and other credentials Ex3: Select a unique identifier for each device from immutable hardware characteristics or an identifier securely provisioned to the device Ex4: Physically label authorised hardware with an identifier for inventory and servicing purposes |
Identity and access management IAMT Stakeholder relationship management RLMT |
| Identities are proofed and bound to credentials based on the context of interactions | PR.AA-02 | Ex1: Verify a person's claimed identity at enrolment time using government-issued identity credentials (e.g., passport, visa, driver's license) Ex2: Issue a different credential for each person (i.e., no credential sharing) |
|
| Users, services, and hardware are authenticated | PR.AA-03 | Ex1: Require multifactor authentication Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar authenticators Ex3: Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures) Ex4: Ensure that authorised personnel can access accounts essential for protecting safety under emergency conditions |
Identity and access management IAMT |
| Identity assertions are protected, conveyed, and verified | PR.AA-04 | Ex1: Protect identity assertions that are used to convey authentication and user information through single sign-on systems Ex2: Protect identity assertions that are used to convey authentication and user information between federated systems Ex3: Implement standards-based approaches for identity assertions in all contexts, and follow all guidance for the generation (e.g., data models, metadata), protection (e.g., digital signing, encryption), and verification (e.g., signature validation) of identity assertions |
|
| Access permissions, entitlements, and authorisations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | PR.AA-05 | Ex1: Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organisation, and promptly rescind privileges that are no longer needed Ex2: Take attributes of the requester and the requested resource into account for authorisation decisions (e.g., geolocation, day/time, requester endpoint's cyber health) Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust architecture) Ex4: Periodically review the privileges associated with critical business functions to confirm proper separation of duties |
Identity and access management IAMT |
| Physical access to assets is managed, monitored, and enforced commensurate with risk | PR.AA-06 | Ex1: Use security guards, security cameras, locked entrances, alarm systems, and other physical controls to monitor facilities and restrict access Ex2: Employ additional physical security controls for areas that contain high-risk assets Ex3: Escort guests, vendors, and other third parties within areas that contain business-critical assets |
NIST CSF Outcome: The organisation's personnel are provided with cyber security awareness and training so that they can perform their cyber security-related tasks
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Learning and development managers and senior security practitioners design and ensure delivery of training programs Why this level: Requires expertise in both cybersecurity and learning design, accountable for program effectiveness Key activities: |
Levels 2-6 L6: Approves training strategy, allocates budget L4-5: Design curricula, ensure delivery quality, measure effectiveness L3: Deliver training, develop content L2: Assist with training logistics, support content development |
| Rationale: Training program management is an L4-5 accountability, though executive sponsorship (L6) is important for establishing a security-aware culture. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cyber security risks in mind | PR.AT-01 | Ex1: Provide basic cyber security awareness and training to employees, contractors, partners, suppliers, and all other users of the organisation's non-public resources Ex2: Train personnel to recognise social engineering attempts and other common attacks, report attacks and suspicious activity, comply with acceptable use policies, and perform basic cyber hygiene tasks (e.g., patching software, choosing passwords, protecting credentials) Ex3: Explain the consequences of cyber security policy violations, both to individual users and the organisation as a whole Ex4: Periodically assess or test users on their understanding of basic cyber security practices Ex5: Require annual refreshers to reinforce existing practices and introduce new practices |
Learning and development management ETMG |
| Individuals in specialised roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cyber security risks in mind | PR.AT-02 | Ex1: Identify the specialised roles within the organisation that require additional cyber security training, such as physical and cyber security personnel, finance personnel, senior leadership, and anyone with access to business-critical data Ex2: Provide role-based cyber security awareness and training to all those in specialised roles, including contractors, partners, suppliers, and other third parties Ex3: Periodically assess or test users on their understanding of cyber security practices for their specialised roles Ex4: Require annual refreshers to reinforce existing practices and introduce new practices |
Learning and development management ETMG |
NIST CSF Outcome: Data are managed consistent with the organisation's risk strategy to protect the confidentiality, integrity, and availability of information
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Data protection specialists and security architects ensure appropriate controls are implemented Why this level: Requires technical expertise in encryption, access controls, and data protection; accountable for control effectiveness Key activities: |
Levels 2-6 L6: Approves data security policies, accountable for data protection strategy L4-5: Design and ensure implementation of controls, provide technical leadership L2-3: Implement controls, monitor data protection, perform backups |
| Rationale: Data security requires strong technical capability at L4-5, with L6 accountability for policy and strategy. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| The confidentiality, integrity, and availability of data-at-rest are protected | PR.DS-01 | Ex1: Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of stored data in files, databases, virtual machine disk images, container images, and other resources Ex2: Use full disk encryption to protect data stored on user endpoints Ex3: Confirm the integrity of software by validating signatures Ex4: Restrict the use of removable media to prevent data exfiltration Ex5: Physically secure removable media containing unencrypted sensitive information, such as within locked offices or file cabinets |
Information and data compliance PEDP |
| The confidentiality, integrity, and availability of data-in-transit are protected | PR.DS-02 | Ex1: Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of network communications Ex2: Automatically encrypt or block outbound emails and other communications that contain sensitive data, depending on the data classification Ex3: Block access to personal email, file sharing, file storage services, and other personal communications applications and services from organisational systems and networks Ex4: Prevent reuse of sensitive data from production environments (e.g., customer records) in development, testing, and other non-production environments |
|
| The confidentiality, integrity, and availability of data-in-use are protected | PR.DS-10 | Ex1: Remove data that must remain confidential (e.g., from processors and memory) as soon as it is no longer needed Ex2: Protect data in use from access by other users and processes of the same platform |
|
| Backups of data are created, protected, maintained, and tested | PR.DS-11 | Ex1: Continuously back up critical data in near-real-time, and back up other data frequently at agreed-upon schedules Ex2: Test backups and restores for all types of data sources at least annually Ex3: Securely store some backups offline and offsite so that an incident or disaster will not damage them Ex4: Enforce geographic separation and geolocation restrictions for data backup storage |
NIST CSF Outcome: The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organisation's risk strategy to protect their confidentiality, integrity, and availability
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: System administrators and security engineers ensure platforms are securely configured and maintained Why this level: Requires technical expertise in platform hardening and configuration management, accountable for platform security posture Key activities: |
Levels 2-5 L4-5: Establish configuration standards, ensure compliance, manage platform security L2-3: Apply configurations, maintain systems, monitor platform security |
| Rationale: Platform security is a technical discipline requiring L4-5 management to establish standards and ensure consistent application. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Configuration management practices are established and applied | PR.PS-01 | Ex1: Establish, test, deploy, and maintain hardened baselines that enforce the organisation's cyber security policies and provide only essential capabilities (i.e., principle of least functionality) Ex2: Review all default configuration settings that may potentially impact cyber security when installing or upgrading software Ex3: Monitor implemented software for deviations from approved baselines |
|
| Software is maintained, replaced, and removed commensurate with risk | PR.PS-02 | Ex1: Perform routine and emergency patching within the timeframes specified in the vulnerability management plan Ex2: Update container images, and deploy new container instances to replace rather than update existing instances Ex3: Replace end-of-life software and service versions with supported, maintained versions Ex4: Uninstall and remove unauthorised software and services that pose undue risks Ex5: Uninstall and remove any unnecessary software components (e.g., operating system utilities) that attackers might misuse Ex6: Define and implement plans for software and service end-of-life maintenance support and obsolescence |
|
| Hardware is maintained, replaced, and removed commensurate with risk | PR.PS-03 | Ex1: Replace hardware when it lacks needed security capabilities or when it cannot support software with needed security capabilities Ex2: Define and implement plans for hardware end-of-life maintenance support and obsolescence Ex3: Perform hardware disposal in a secure, responsible, and auditable manner |
|
| Log records are generated and made available for continuous monitoring | PR.PS-04 | Ex1: Configure all operating systems, applications, and services (including cloud-based services) to generate log records Ex2: Configure log generators to securely share their logs with the organisation's logging infrastructure systems and services Ex3: Configure log generators to record the data needed by zero-trust architectures |
|
| Installation and execution of unauthorised software are prevented | PR.PS-05 | Ex1: When risk warrants it, restrict software execution to permitted products only or deny the execution of prohibited and unauthorised software Ex2: Verify the source of new software and the software's integrity before installing it Ex3: Configure platforms to use only approved DNS services that block access to known malicious domains Ex4: Configure platforms to allow the installation of organisation-approved software only |
|
| Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle | PR.PS-06 | Ex1: Protect all components of organisation-developed software from tampering and unauthorised access Ex2: Secure all software produced by the organisation, with minimal vulnerabilities in their releases Ex3: Maintain the software used in production environments, and securely dispose of software once it is no longer needed |
Programming/software development PROG Systems integration and build SINT |
NIST CSF Outcome: Security architectures are managed with the organisation's risk strategy to protect asset confidentiality, integrity, and availability, and organisational resilience
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-6 Who: Infrastructure architects and managers (L4-5) ensure resilience; senior management (L6) for strategic resilience decisions Why this level: Technical resilience requires architectural expertise (L4-5); strategic resilience investments require senior management authority (L6) Key activities: |
Levels 2-6 L6: Approves resilience strategy and investments L4-5: Design resilience architectures, ensure implementation, manage capacity L2-3: Implement resilience controls, monitor infrastructure, respond to threats |
| Rationale: Infrastructure resilience requires technical leadership at L4-5, with L6 involvement for significant investment decisions and strategic resilience planning. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Networks and environments are protected from unauthorised logical access and usage | PR.IR-01 | Ex1: Logically segment organisation networks and cloud-based platforms according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), and permit required communications only between segments Ex2: Logically segment organisation networks from external networks, and permit only necessary communications to enter the organisation's networks from the external networks Ex3: Implement zero trust architectures to restrict network access to each resource to the minimum necessary Ex4: Check the cyber health of endpoints before allowing them to access and use production resources |
|
| The organisation's technology assets are protected from environmental threats | PR.IR-02 | Ex1: Protect organisational equipment from known environmental threats, such as flooding, fire, wind, and excessive heat and humidity Ex2: Include protection from environmental threats and provisions for adequate operating infrastructure in requirements for service providers that operate systems on the organisation's behalf |
|
| Mechanisms are implemented to achieve resilience requirements in normal and adverse situations | PR.IR-03 | Ex1: Avoid single points of failure in systems and infrastructure Ex2: Use load balancing to increase capacity and improve reliability Ex3: Use high-availability components like redundant storage and power supplies to improve system reliability |
|
| Adequate resource capacity to ensure availability is maintained | PR.IR-04 | Ex1: Monitor usage of storage, power, compute, network bandwidth, and other resources Ex2: Forecast future needs, and scale resources accordingly |
Detect (DE): Possible cybersecurity attacks and compromises are found and analyzed.
NIST CSF Outcome: Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Security operations managers and senior analysts ensure monitoring systems are effective Why this level: Requires technical expertise in monitoring tools and threat detection, accountable for detection capability Key activities: |
Levels 2-5 L4-5: Design monitoring approach, ensure effectiveness, manage SOC operations L2-3: Monitor alerts, investigate anomalies, document events L2: Assist with alert triage, maintain monitoring tools |
| Rationale: Monitoring requires continuous technical operations with L4-5 oversight but doesn't typically require executive involvement. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Networks and network services are monitored to find potentially adverse events | DE.CM-01 | Ex1: Monitor DNS, BGP, and other network services for adverse events Ex2: Monitor wired and wireless networks for connections from unauthorised endpoints Ex3: Monitor facilities for unauthorised or rogue wireless networks Ex4: Compare actual network flows against baselines to detect deviations Ex5: Monitor network communications to identify changes in security postures for zero trust purposes |
Infrastructure operations ITOP |
| The physical environment is monitored to find potentially adverse events | DE.CM-02 | Ex1: Monitor logs from physical access control systems (e.g., badge readers) to find unusual access patterns (e.g., deviations from the norm) and failed access attempts Ex2: Review and monitor physical access records (e.g., from visitor registration, sign-in sheets) Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) for signs of tampering Ex4: Monitor the physical environment using alarm systems, cameras, and security guards |
|
| Personnel activity and technology usage are monitored to find potentially adverse events | DE.CM-03 | Ex1: Use behaviour analytics software to detect anomalous user activity to mitigate insider threats Ex2: Monitor logs from logical access control systems to find unusual access patterns and failed access attempts Ex3: Continuously monitor deception technology, including user accounts, for any usage |
|
| External service provider activities and services are monitored to find potentially adverse events | DE.CM-06 | Ex1: Monitor remote and onsite administration and maintenance activities that external providers perform on organisational systems Ex2: Monitor activity from cloud-based services, internet service providers, and other service providers for deviations from expected behaviour |
|
| Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | DE.CM-09 | Ex1: Monitor email, web, file sharing, collaboration services, and other common attack vectors to detect malware, phishing, data leaks and exfiltration, and other adverse events Ex2: Monitor authentication attempts to identify attacks against credentials and unauthorised credential reuse Ex3: Monitor software configurations for deviations from security baselines Ex4: Monitor hardware and software for signs of tampering Ex5: Use technologies with a presence on endpoints to detect cyber health issues (e.g., missing patches, malware infections, unauthorised software), and redirect the endpoints to a remediation environment before access is authorised |
Infrastructure operations ITOP |
NIST CSF Outcome: Anomalies, indicators of compromise, and other potentially adverse events are analysed to characterise the events and detect cyber security incidents
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Senior security analysts and incident response leads analyze events and declare incidents Why this level: Requires deep technical expertise and judgment to distinguish true incidents from noise, accountable for analysis quality Key activities: |
Levels 2-6 L6: Informed of significant incidents, makes strategic response decisions L4-5: Lead analysis, interpret intelligence, declare incidents L2-3: Perform initial analysis, correlate data, escalate findings |
| Rationale: Event analysis is highly technical (L4-5), with L6 involvement for major incidents requiring strategic decisions. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Potentially adverse events are analysed to better understand associated activities | DE.AE-02 | Ex1: Use security information and event management (SIEM) or other tools to continuously monitor log events for known malicious and suspicious activity Ex2: utilise up-to-date cyber threat intelligence in log analysis tools to improve detection accuracy and characterise threat actors, their methods, and indicators of compromise Ex3: Regularly conduct manual reviews of log events for technologies that cannot be sufficiently monitored through automation Ex4: Use log analysis tools to generate reports on their findings |
Infrastructure operations ITOP |
| Information is correlated from multiple sources | DE.AE-03 | Ex1: Constantly transfer log data generated by other sources to a relatively small number of log servers Ex2: Use event correlation technology (e.g., SIEM) to collect information captured by multiple sources Ex3: utilise cyber threat intelligence to help correlate events among log sources |
|
| The estimated impact and scope of adverse events are understood | DE.AE-04 | Ex1: Use SIEMs or other tools to estimate impact and scope, and review and refine the estimates Ex2: A person creates their own estimates of impact and scope |
|
| Information on adverse events is provided to authorised staff and tools | DE.AE-06 | Ex1: Use cyber security software to generate alerts and provide them to the security operations centre (SOC), incident responders, and incident response tools Ex2: Incident responders and other authorised personnel can access log analysis findings at all times Ex3: Automatically create and assign tickets in the organisation's ticketing system when certain types of alerts occur Ex4: Manually create and assign tickets in the organisation's ticketing system when technical staff discover indicators of compromise |
|
| Cyber threat intelligence and other contextual information are integrated into the analysis | DE.AE-07 | Ex1: Securely provide cyber threat intelligence feeds to detection technologies, processes, and personnel Ex2: Securely provide information from asset inventories to detection technologies, processes, and personnel Ex3: Rapidly acquire and analyse vulnerability disclosures for the organisation's technologies from suppliers, vendors, and third-party security advisories |
|
| Incidents are declared when adverse events meet the defined incident criteria | DE.AE-08 | Ex1: Apply incident criteria to known and assumed characteristics of activity in order to determine whether an incident should be declared Ex2: Take known false positives into account when applying incident criteria |
Respond(RS): Actions regarding a detected cybersecurity incident are taken.
NIST CSF Outcome: Responses to detected cyber security incidents are managed
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-6 (varies by incident severity) Who: Incident response managers (L4-5) for routine incidents; senior management (L6) for major incidents Why this level: Routine incidents are managed by technical experts; major incidents require organizational coordination and executive decisions Key activities: |
Levels 2-6 L6: Manages major incidents, makes strategic decisions, coordinates with executives L4-5: Lead incident response, coordinate teams, make tactical decisions L2-3: Execute response actions, document activities, support investigation |
| Rationale: This is one area where level requirements vary significantly by incident severity - needs flexibility in description. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| The incident response plan is executed in coordination with relevant third parties once an incident is declared | RS.MA-01 | Ex1: Detection technologies automatically report confirmed incidents Ex2: Request incident response assistance from the organisation's incident response outsourcer Ex3: Designate an incident lead for each incident Ex4: Initiate execution of additional cyber security plans as needed to support incident response (for example, business continuity and disaster recovery) |
|
| Incident reports are triaged and validated | RS.MA-02 | Ex1: Preliminarily review incident reports to confirm that they are cyber security-related and necessitate incident response activities Ex2: Apply criteria to estimate the severity of an incident |
|
| Incidents are categorised and prioritised | RS.MA-03 | Ex1: Further review and categorise incidents based on the type of incident (e.g., data breach, ransomware, DDoS, account compromise) Ex2: prioritise incidents based on their scope, likely impact, and time-critical nature Ex3: Select incident response strategies for active incidents by balancing the need to quickly recover from an incident with the need to observe the attacker or conduct a more thorough investigation |
|
| Incidents are escalated or elevated as needed | RS.MA-04 | Ex1: Track and validate the status of all ongoing incidents Ex2: Coordinate incident escalation or elevation with designated internal and external stakeholders |
|
| The criteria for initiating incident recovery are applied | RS.MA-05 | Ex1: Apply incident recovery criteria to known and assumed characteristics of the incident to determine whether incident recovery processes should be initiated Ex2: Take the possible operational disruption of incident recovery activities into account |
NIST CSF Outcome: Investigations are conducted to ensure effective response and support forensics and recovery activities
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Digital forensics experts and senior security analysts conduct investigations and establish root causes Why this level: Requires specialized technical expertise in forensics and investigation techniques, accountable for analysis quality Key activities: |
Levels 2-6 L6: Informed of significant findings, makes decisions based on analysis L4-5: Lead investigations, perform root cause analysis, provide authoritative findings L2-3: Collect evidence, document actions, support forensic activities |
| Rationale: Incident analysis requires specialized technical expertise at L4-5, with findings reported to L6 for major incidents. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Analysis is performed to establish what has taken place during an incident and the root cause of the incident | RS.AN-03 | Ex1: Determine the sequence of events that occurred during the incident and which assets and resources were involved in each event Ex2: Attempt to determine what vulnerabilities, threats, and threat actors were directly or indirectly involved in the incident Ex3: Analyse the incident to find the underlying, systemic root causes Ex4: Check any cyber deception technology for additional information on attacker behaviour |
|
| Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved | RS.AN-06 | Ex1: Require each incident responder and others (e.g., system administrators, cyber security engineers) who perform incident response tasks to record their actions and make the record immutable Ex2: Require the incident lead to document the incident in detail and be responsible for preserving the integrity of the documentation and the sources of all information being reported |
|
| Incident data and metadata are collected, and their integrity and provenance are preserved | RS.AN-07 | Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident data and metadata (e.g., data source, date/time of collection) based on evidence preservation and chain-of-custody procedures | |
| An incident's magnitude is estimated and validated | RS.AN-08 | Ex1: Review other potential targets of the incident to search for indicators of compromise and evidence of persistence Ex2: Automatically run tools on targets to look for indicators of compromise and evidence of persistence |
NIST CSF Outcome: Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 5-6 Who: Senior security managers (L5) coordinate routine reporting; senior management (L6) for significant incidents Why this level: Requires judgment on stakeholder communication and understanding of regulatory requirements, with senior authority for significant incidents Key activities: |
Levels 3-6 L6: Manages communication for major incidents, interfaces with executives and regulators L5: Coordinates routine incident reporting, ensures compliance L3-4: Document incidents, prepare reports, support stakeholder communication |
| Rationale: Incident communication requires senior capability due to regulatory implications and stakeholder sensitivity, with L6 involvement for significant incidents. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Internal and external stakeholders are notified of incidents | RS.CO-02 | Ex1: Follow the organisation's breach notification procedures after discovering a data breach incident, including notifying affected customers Ex2: Notify business partners and customers of incidents in accordance with contractual requirements Ex3: Notify law enforcement agencies and regulatory bodies of incidents based on criteria in the incident response plan and management approval |
|
| Information is shared with designated internal and external stakeholders | RS.CO-03 | Ex1: Securely share information consistent with response plans and information sharing agreements Ex2: Voluntarily share information about an attacker's observed TTPs, with all sensitive data removed, with an Information Sharing and Analysis Centre (ISAC) Ex3: Notify HR when malicious insider activity occurs Ex4: Regularly update senior leadership on the status of major incidents Ex5: Follow the rules and protocols defined in contracts for incident information sharing between the organisation and its suppliers Ex6: Coordinate crisis communication methods between the organisation and its critical suppliers |
NIST CSF Outcome: Activities are performed to prevent expansion of an event and mitigate its effects
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-5 Who: Incident response leads and security engineers contain and eradicate incidents Why this level: Requires technical expertise to execute containment and eradication effectively, accountable for mitigation actions Key activities: |
Levels 2-6 L6: Informed of significant mitigation decisions, approves actions with business impact L4-5: Lead mitigation efforts, make tactical decisions, coordinate teams L2-3: Execute containment actions, implement eradication procedures, document activities |
| Rationale: Incident mitigation is highly technical, requiring L4-5 leadership to coordinate and execute effectively. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Incidents are contained | RS.MI-01 | Ex1: cyber security technologies (e.g., antivirus software) and cyber security features of other technologies (e.g., operating systems, network infrastructure devices) automatically perform containment actions Ex2: Allow incident responders to manually select and perform containment actions Ex3: Allow a third party (e.g., internet service provider, managed security service provider) to perform containment actions on behalf of the organisation Ex4: Automatically transfer compromised endpoints to a remediation virtual local area network (VLAN) |
|
| Incidents are eradicated | RS.MI-02 | Ex1: cyber security technologies and cyber security features of other technologies (e.g., operating systems, network infrastructure devices) automatically perform eradication actions Ex2: Allow incident responders to manually select and perform eradication actions Ex3: Allow a third party (e.g., managed security service provider) to perform eradication actions on behalf of the organisation |
Recover (RC): Assets and operations affected by a cybersecurity incident are restored.
NIST CSF Outcome: Restoration activities are performed to ensure operational availability of systems and services affected by cyber security incidents
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 4-6 (varies by incident severity) Who: Recovery managers (L4-5) for routine incidents; senior management (L6) for major incidents Why this level: Routine recovery is technical execution; major incident recovery requires organizational coordination and business decisions Key activities: |
Levels 2-6 L6: Manages major incident recovery, makes business continuity decisions, coordinates organizational response L4-5: Lead recovery execution, verify restoration, coordinate technical activities L2-3: Perform restoration actions, verify systems, document recovery |
| Rationale: Recovery requirements vary by incident severity, with routine incidents managed at L4-5 and major incidents requiring L6 authority for business decisions. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| The recovery portion of the incident response plan is executed once initiated from the incident response process | RC.RP-01 | Ex1: Begin recovery procedures during or after incident response processes Ex2: Make all individuals with recovery responsibilities aware of the plans for recovery and the authorisations required to implement each aspect of the plans |
|
| Recovery actions are selected, scoped, prioritised, and performed | RC.RP-02 | Ex1: Select recovery actions based on the criteria defined in the incident response plan and available resources Ex2: Change planned recovery actions based on a reassessment of organisational needs and resources |
|
| The integrity of backups and other restoration assets is verified before using them for restoration | RC.RP-03 | Ex1: Check restoration assets for indicators of compromise, file corruption, and other integrity issues before use | |
| Critical mission functions and cyber security risk management are considered to establish post-incident operational norms | RC.RP-04 | Ex1: Use business impact and system categorisation records (including service delivery objectives) to validate that essential services are restored in the appropriate order Ex2: Work with system owners to confirm the successful restoration of systems and the return to normal operations Ex3: Monitor the performance of restored systems to verify the adequacy of the restoration |
|
| The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed | RC.RP-05 | Ex1: Check restored assets for indicators of compromise and remediation of root causes of the incident before production use Ex2: Verify the correctness and adequacy of the restoration actions taken before putting a restored system online |
|
| The end of incident recovery is declared based on criteria, and incident-related documentation is completed | RC.RP-06 | Ex1: Prepare an after-action report that documents the incident itself, the response and recovery actions taken, and lessons learned Ex2: Declare the end of incident recovery once the criteria are met |
NIST CSF Outcome: Restoration activities are coordinated with internal and external parties
Illustrative SFIA levels of responsibility for the NIST CSF outcome
| Primary Accountability | Typical Participation |
|
Level 5-6 Who: Senior security managers (L5) coordinate routine recovery communication; senior management (L6) for major incidents Why this level: Requires judgment on stakeholder communication and business context, with senior authority for significant incidents Key activities: |
Levels 3-6 L6: Manages public communication for major incidents, interfaces with executives and external parties L5: Coordinates recovery communication, manages internal stakeholder updates L3-4: Document recovery progress, prepare status reports, support communication activities |
| Rationale: Recovery communication requires senior capability for stakeholder management, with L6 involvement for public-facing communication on significant incidents. | |
Illustrative SFIA skills mapping to the NIST CSF subcategories
| NIST CSF Subcategory | ID | NIST CSF Implementation examples | SFIA skills |
| Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | RC.CO-03 | Ex1: Securely share recovery information, including restoration progress, consistent with response plans and information sharing agreements Ex2: Regularly update senior leadership on recovery status and restoration progress for major incidents Ex3: Follow the rules and protocols defined in contracts for incident information sharing between the organisation and its suppliers Ex4: Coordinate crisis communication between the organisation and its critical suppliers |
|
| Public updates on incident recovery are shared using approved methods and messaging | RC.CO-04 | Ex1: Follow the organisation's breach notification procedures for recovering from a data breach incident Ex2: Explain the steps being taken to recover from the incident and to prevent a recurrence |