[{"data":1,"prerenderedAt":7139},["ShallowReactive",2],{"framework-topics-nistcsf":3,"framework-nistcsf":3785,"related-glossary-continuous-monitoring-audit-trail-siem":4397,"explore-glossary-nistcsf-\u002Fframeworks\u002Fnistcsf\u002Fdetect-function":4907,"explore-topics-nistcsf-\u002Fframeworks\u002Fnistcsf\u002Fdetect-function":5690,"explore-hub-nistcsf":6195,"explore-compare-vs-\u002Fframeworks\u002Fnistcsf\u002Fdetect-function":6570,"explore-compare-\u002Fframeworks\u002Fnistcsf\u002Fdetect-function":6737,"explore-blog-nistcsf-\u002Fframeworks\u002Fnistcsf\u002Fdetect-function":6858,"explore-industry-nistcsf":7055},[4,332,643,1102,1419,1715,2119,2573,2866,3146,3423],{"id":5,"title":6,"body":7,"description":297,"extension":298,"faq":299,"frameworkSlug":313,"lastUpdated":314,"meta":315,"navigation":316,"path":317,"relatedTerms":318,"relatedTopics":322,"seo":327,"stem":330,"__hash__":331},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fdetect-function.md","NIST CSF Detect Function",{"type":8,"value":9,"toc":283},"minimark",[10,15,24,27,30,34,37,82,85,90,93,96,118,122,125,128,142,146,149,194,198,201,239,243,246,249,253,267],[11,12,14],"h2",{"id":13},"what-is-the-nist-csf-detect-function","What is the NIST CSF Detect function?",[16,17,18,19,23],"p",{},"The ",[20,21,22],"strong",{},"Detect (DE) function"," develops and implements activities to identify the occurrence of a cybersecurity event in a timely manner. Detect is where the cybersecurity program proves it can see what is actually happening. No preventive control is perfect, and the gap between compromise and detection — dwell time — is one of the most decisive variables in the final impact of an attack. An adversary detected within hours is an incident; an adversary detected after six months is a breach.",[16,25,26],{},"Detect sits between Protect (the preventive function) and Respond (the reactive function). Telemetry from the platforms, identities, data stores, and networks protected in the Protect function flows into Detect, where continuous monitoring and event analysis turn raw signals into actionable alerts. Those alerts become the inputs to Respond.",[16,28,29],{},"Detect is also the function most likely to be measured badly. A detection program that produces thousands of alerts that nobody reads is not detecting anything; it is generating noise. Mature NIST CSF Detect programs are judged by mean time to detect (MTTD), true-positive rate, and coverage against relevant threat scenarios — not by alert volume.",[11,31,33],{"id":32},"how-detect-changed-in-nist-csf-20","How Detect changed in NIST CSF 2.0",[16,35,36],{},"NIST CSF 1.1 split the Detect function into three categories: Anomalies and Events (DE.AE), Security Continuous Monitoring (DE.CM), and Detection Processes (DE.DP). NIST CSF 2.0 consolidated these into two:",[38,39,40,56],"table",{},[41,42,43],"thead",{},[44,45,46,50,53],"tr",{},[47,48,49],"th",{},"Category",[47,51,52],{},"ID",[47,54,55],{},"Focus",[57,58,59,71],"tbody",{},[44,60,61,65,68],{},[62,63,64],"td",{},"Continuous Monitoring",[62,66,67],{},"DE.CM",[62,69,70],{},"Monitoring of networks, physical environments, personnel activity, and third parties",[44,72,73,76,79],{},[62,74,75],{},"Adverse Event Analysis",[62,77,78],{},"DE.AE",[62,80,81],{},"Analysis of anomalies, correlation across sources, and characterization of events",[16,83,84],{},"The old Detection Processes category (DE.DP) was partially folded into DE.AE and partially moved into the Govern function's oversight and improvement outcomes. The net effect is a cleaner distinction: DE.CM is the telemetry layer, DE.AE is the analysis layer, and governance of the detection program itself is handled through Govern.",[86,87,89],"h3",{"id":88},"continuous-monitoring-decm","Continuous Monitoring (DE.CM)",[16,91,92],{},"DE.CM covers the collection of telemetry and the continuous monitoring of the environment for cybersecurity-relevant signals. This includes monitoring of networks, endpoints, cloud services, applications, identities, physical environments, personnel activity, and third-party connections. DE.CM outcomes are usually measured in coverage: what percentage of the environment is visible, which assets or tiers of assets are blind spots, and whether critical logs are being retained for long enough to support Respond and Recover.",[16,94,95],{},"A healthy DE.CM program integrates logs from:",[97,98,99,103,106,109,112,115],"ul",{},[100,101,102],"li",{},"Endpoints — EDR agents across workstations, servers, and mobile devices.",[100,104,105],{},"Identity providers — authentication logs, privileged access, federation, and token issuance events.",[100,107,108],{},"Cloud providers — control-plane audit logs, data-plane access logs, and configuration change logs.",[100,110,111],{},"Network — flow data, DNS logs, and network detection and response (NDR) sensors on segments where they are warranted.",[100,113,114],{},"Applications — application-layer logs for critical business systems.",[100,116,117],{},"Third parties — logs from managed service providers, SaaS vendors, and partners with privileged access.",[86,119,121],{"id":120},"adverse-event-analysis-deae","Adverse Event Analysis (DE.AE)",[16,123,124],{},"DE.AE takes the raw signals collected by DE.CM and turns them into characterized events. Analysts triage anomalies, correlate across sources, determine the scope and potential impact, and decide whether an event warrants escalation to the Respond function. DE.AE is where the real expertise lives. Signatures catch known-bad behavior; DE.AE analysis catches the variants, the novel techniques, and the low-and-slow activity that evades pure-signature detection.",[16,126,127],{},"Mature DE.AE practices include:",[97,129,130,133,136,139],{},[100,131,132],{},"Threat-informed detection engineering — mapping detection coverage to a threat model such as MITRE ATT&CK.",[100,134,135],{},"Purple-team exercises that test whether detections actually fire against realistic attack scenarios.",[100,137,138],{},"Documented triage runbooks that produce consistent decisions regardless of which analyst is on shift.",[100,140,141],{},"Feedback loops from Respond back to DE.AE — every incident becomes an opportunity to improve future detection.",[11,143,145],{"id":144},"implementation-guidance","Implementation guidance",[16,147,148],{},"A pragmatic sequence for standing up the Detect function:",[150,151,152,158,164,170,176,182,188],"ol",{},[100,153,154,157],{},[20,155,156],{},"Decide what must be detected."," Start from the prioritized risk register in the Identify function. Pick the top threat scenarios that matter most to the business — ransomware on critical systems, credential theft of privileged identities, exfiltration of regulated data — and design detection coverage to meet them.",[100,159,160,163],{},[20,161,162],{},"Centralize logs."," Choose a SIEM, a log analytics platform, or a managed detection service. What matters is that logs from endpoints, identities, and cloud control planes are collected, retained for a defined period, and searchable.",[100,165,166,169],{},[20,167,168],{},"Start with high-fidelity detections."," Identity-centric detections (impossible travel, MFA bypass, new admin creation, token theft indicators) and EDR-based detections tend to produce the highest signal-to-noise ratios. Expand from there.",[100,171,172,175],{},[20,173,174],{},"Write and test runbooks."," Every detection should have a runbook that tells an analyst how to triage it. Runbooks should be living documents updated after every incident.",[100,177,178,181],{},[20,179,180],{},"Tune continuously."," Alert fatigue kills detection programs. Measure false-positive rates and either tune, suppress, or remove noisy detections.",[100,183,184,187],{},[20,185,186],{},"Measure coverage against a framework."," Use MITRE ATT&CK or a similar model to track detection coverage over time. Coverage gaps become initiatives in the NIST CSF roadmap.",[100,189,190,193],{},[20,191,192],{},"Feed improvements back to Govern and Identify."," Detection findings often change the risk picture; that information belongs in the risk register and in leadership reporting.",[11,195,197],{"id":196},"common-challenges","Common challenges",[16,199,200],{},"Detect programs commonly hit these walls:",[97,202,203,209,215,221,227,233],{},[100,204,205,208],{},[20,206,207],{},"Tooling without tuning."," A SIEM deployed and left on defaults produces a flood of low-value alerts. Investment in detection engineering is non-negotiable.",[100,210,211,214],{},[20,212,213],{},"Coverage illusions."," Dashboards that count log sources ingested rather than relevant telemetry collected can create a false sense of coverage. Measure coverage against real threat scenarios, not against log volume.",[100,216,217,220],{},[20,218,219],{},"Logs that cannot be searched quickly."," Detection value evaporates if analysts cannot query logs in seconds. Storage architecture and retention policies matter as much as collection.",[100,222,223,226],{},[20,224,225],{},"Alert fatigue."," Analysts triaging hundreds of alerts per shift will miss the important ones. Suppress noise aggressively and treat alert volume as a defect metric, not a success metric.",[100,228,229,232],{},[20,230,231],{},"No purple-teaming."," Detections that have never been tested against realistic attack simulations often fail silently when a real attack occurs. Regular purple-team exercises validate that the detections actually work.",[100,234,235,238],{},[20,236,237],{},"Unclear escalation criteria."," Analysts need a clear rule for when an adverse event becomes an incident and handoff to the Respond function begins. Ambiguity here costs minutes that matter.",[11,240,242],{"id":241},"measuring-detect-outcomes","Measuring Detect outcomes",[16,244,245],{},"Mean time to detect (MTTD) is the headline metric for the NIST CSF Detect function, but MTTD alone can be misleading. A Detect program with excellent MTTD for commodity malware but no visibility into identity-based attacks is not actually strong. Mature Detect programs report a small portfolio of metrics: MTTD by scenario class, true-positive rate per detection, alert-to-escalation time, coverage of the MITRE ATT&CK tactics most relevant to the threat model, and percentage of incidents first detected by internal telemetry rather than by a third party or an affected customer. That last metric — internal-first detection rate — is often the most honest measure of Detect maturity.",[16,247,248],{},"Detect also benefits from ongoing threat intelligence integration. Intelligence about current adversary behavior, sector-specific threats, and software supply chain compromises should flow into the detection engineering backlog and update existing detections. Without this feedback loop, DE.CM coverage and DE.AE analytics slowly drift behind what attackers are actually doing.",[11,250,252],{"id":251},"how-episki-helps","How episki helps",[16,254,255,256,261,262,266],{},"episki connects directly to your identity provider, EDR, cloud accounts, and SIEM to measure DE.CM coverage and DE.AE performance as living metrics. Coverage gaps against the risk scenarios that matter most to the business become tracked initiatives with owners and due dates. Detection engineering improvements captured in one place are automatically reflected in the NIST CSF profile and in the corresponding ",[257,258,260],"a",{"href":259},"\u002Fframeworks\u002Fsoc2","SOC 2",", ",[257,263,265],{"href":264},"\u002Fframeworks\u002Fiso27001","ISO 27001",", HIPAA, and PCI DSS controls. Leadership sees mean time to detect trending down quarter over quarter; practitioners see the concrete work that made it happen.",[16,268,269,270,276,277,282],{},"Ready to turn the NIST CSF Detect function into live, measurable operations? ",[257,271,275],{"href":272,"rel":273},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[274],"nofollow","Start a trial"," or ",[257,278,281],{"href":279,"rel":280},"https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo",[274],"book a demo",".",{"title":284,"searchDepth":285,"depth":285,"links":286},"",2,[287,288,293,294,295,296],{"id":13,"depth":285,"text":14},{"id":32,"depth":285,"text":33,"children":289},[290,292],{"id":88,"depth":291,"text":89},3,{"id":120,"depth":291,"text":121},{"id":144,"depth":285,"text":145},{"id":196,"depth":285,"text":197},{"id":241,"depth":285,"text":242},{"id":251,"depth":285,"text":252},"A complete guide to the NIST CSF Detect function — continuous monitoring, adverse event analysis, and detection processes that surface attacks in time to respond.","md",{"items":300},[301,304,307,310],{"label":302,"content":303},"What is the Detect function in NIST CSF?","The Detect function develops and implements activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly and event analysis, and the detection processes that turn telemetry into actionable alerts. Strong Detect shrinks dwell time — the gap between when an attacker gets in and when the organization notices.",{"label":305,"content":306},"How did the Detect function change in NIST CSF 2.0?","NIST CSF 2.0 consolidated the original three Detect categories (Anomalies and Events, Security Continuous Monitoring, Detection Processes) into two: Continuous Monitoring (DE.CM) and Adverse Event Analysis (DE.AE). The outcomes previously captured in Detection Processes were folded into DE.AE and the Govern function's oversight category.",{"label":308,"content":309},"What should Detect actually produce?","Detect should produce high-fidelity alerts that reach a human or automated responder within minutes and that clearly describe what happened, on which asset, affecting which data, with enough context to begin response. The measure of a healthy Detect program is mean time to detect (MTTD) and the ratio of true-positive to false-positive alerts.",{"label":311,"content":312},"Do small organizations need a SIEM to satisfy Detect?","Not necessarily. The NIST Cybersecurity Framework is outcome-based — Detect requires that cybersecurity events are identified in a timely manner, not that a specific tool is deployed. Small organizations can often meet early Detect maturity with cloud-native logging, endpoint detection and response (EDR), identity provider logs, and managed detection and response (MDR) services.","nistcsf","2026-04-16",{},true,"\u002Fframeworks\u002Fnistcsf\u002Fdetect-function",[319,320,321],"continuous-monitoring","audit-trail","siem",[323,324,325,326],"protect-function","respond-function","govern-function","framework-profiles",{"title":328,"description":329},"NIST CSF Detect Function (DE): Categories, Subcategories, and Implementation","The NIST CSF Detect function finds cybersecurity events in time to act. Learn DE.CM and DE.AE, build continuous monitoring coverage, and tune detections for real outcomes.","5.frameworks\u002Fnistcsf\u002Fdetect-function","sEHcc6r9XFqgU6hABosa6ZvV_DEYLoLv0_0t5JictYc",{"id":333,"title":334,"body":335,"description":629,"extension":298,"faq":630,"frameworkSlug":313,"lastUpdated":314,"meta":631,"navigation":316,"path":632,"relatedTerms":633,"relatedTopics":635,"seo":638,"stem":641,"__hash__":642},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Ffive-functions.md","NIST CSF Five Functions",{"type":8,"value":336,"toc":605},[337,341,344,347,355,359,362,366,372,378,384,390,396,402,406,409,413,416,419,425,431,437,443,449,455,458,461,465,468,471,477,483,489,492,495,499,502,505,511,517,523,529,535,538,541,545,548,551,557,563,569,572,575,579,582],[11,338,340],{"id":339},"the-core-of-the-nist-cybersecurity-framework","The core of the NIST Cybersecurity Framework",[16,342,343],{},"The NIST Cybersecurity Framework (CSF) organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a high-level, strategic view of an organization's cybersecurity risk management lifecycle. They are not meant to be followed sequentially but rather operate concurrently and continuously as part of a mature security program.",[16,345,346],{},"The five functions apply to organizations of all sizes and across all industries. They serve as a common language for communicating cybersecurity posture to executives, boards, regulators, and technical teams. Each function breaks down into categories and subcategories that provide progressively more specific guidance.",[16,348,349,350,354],{},"Note that NIST CSF 2.0 introduced a sixth function, Govern, which is covered in the ",[257,351,353],{"href":352},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes","NIST CSF 2.0 changes"," topic.",[11,356,358],{"id":357},"identify-id","Identify (ID)",[16,360,361],{},"The Identify function develops an organizational understanding of how to manage cybersecurity risk to systems, people, assets, data, and capabilities. Before you can protect anything, you must know what you have and what risks you face.",[86,363,365],{"id":364},"key-categories","Key categories",[16,367,368,371],{},[20,369,370],{},"Asset management (ID.AM)"," - Inventory and manage all physical devices, software platforms, data flows, and external information systems. You cannot protect assets you do not know exist. This includes hardware inventories, software bills of materials, data classification schemes, and mapping of information flows between systems.",[16,373,374,377],{},[20,375,376],{},"Business environment (ID.BE)"," - Understand the organization's mission, objectives, stakeholders, and supply chain. Cybersecurity priorities should align with business goals and risk tolerance. This category ensures that security investments support the most critical business functions.",[16,379,380,383],{},[20,381,382],{},"Governance (ID.GV)"," - Establish and maintain cybersecurity policies, roles, responsibilities, and coordination between internal and external stakeholders. Governance provides the management framework that directs all other cybersecurity activities.",[16,385,386,389],{},[20,387,388],{},"Risk assessment (ID.RA)"," - Identify, analyze, and prioritize cybersecurity risks. This includes threat intelligence, vulnerability identification, likelihood and impact analysis, and risk determination. Risk assessments inform where to allocate resources for the greatest security benefit.",[16,391,392,395],{},[20,393,394],{},"Risk management strategy (ID.RM)"," - Define risk tolerance and establish processes for managing risk on an ongoing basis. This includes policies for accepting, mitigating, transferring, or avoiding identified risks.",[16,397,398,401],{},[20,399,400],{},"Supply chain risk management (ID.SC)"," - Identify, assess, and manage risks associated with third-party service providers, vendors, and supply chain partners. This category has grown in importance as organizations increasingly depend on external services and software.",[86,403,405],{"id":404},"practical-application","Practical application",[16,407,408],{},"The Identify function should produce a comprehensive picture of your organization's cybersecurity posture. This includes a current asset inventory, a risk register prioritized by business impact, documented governance structures, and an understanding of your supply chain dependencies. This foundation enables informed decisions across all other functions.",[11,410,412],{"id":411},"protect-pr","Protect (PR)",[16,414,415],{},"The Protect function implements safeguards to ensure delivery of critical services and limit the impact of potential cybersecurity events. This is where preventive controls are designed and deployed.",[86,417,365],{"id":418},"key-categories-1",[16,420,421,424],{},[20,422,423],{},"Identity management, authentication, and access control (PR.AC)"," - Manage credentials, implement multi-factor authentication, enforce least privilege, and control access to physical and logical assets. Access control is consistently one of the most critical protective measures across all compliance frameworks.",[16,426,427,430],{},[20,428,429],{},"Awareness and training (PR.AT)"," - Ensure that personnel at all levels receive cybersecurity awareness training appropriate to their roles. Privileged users, executives, and third-party stakeholders each need tailored training programs.",[16,432,433,436],{},[20,434,435],{},"Data security (PR.DS)"," - Protect data at rest and in transit through encryption, integrity checking, and data loss prevention mechanisms. This category covers the entire data lifecycle from creation through disposal.",[16,438,439,442],{},[20,440,441],{},"Information protection processes and procedures (PR.IP)"," - Maintain and use security policies, baselines, and procedures that protect information and systems. This includes configuration management, change control, backup procedures, and incident response planning.",[16,444,445,448],{},[20,446,447],{},"Maintenance (PR.MA)"," - Perform and log maintenance on organizational assets in a controlled manner. Remote maintenance must be approved, logged, and conducted using secure channels.",[16,450,451,454],{},[20,452,453],{},"Protective technology (PR.PT)"," - Deploy technical security solutions including firewalls, intrusion prevention systems, endpoint protection, and security monitoring tools. Audit logs must be maintained and protected, and communications and control networks must be secured.",[86,456,405],{"id":457},"practical-application-1",[16,459,460],{},"The Protect function translates risk assessments from the Identify function into concrete security controls. Effective protection requires layered defenses that address people (training), process (policies and procedures), and technology (security tools). No single control is sufficient -- defense in depth is the guiding principle.",[11,462,464],{"id":463},"detect-de","Detect (DE)",[16,466,467],{},"The Detect function defines activities to identify the occurrence of a cybersecurity event in a timely manner. The speed of detection directly impacts the severity of a security incident.",[86,469,365],{"id":470},"key-categories-2",[16,472,473,476],{},[20,474,475],{},"Anomalies and events (DE.AE)"," - Establish baselines of normal activity and detect deviations that may indicate malicious behavior. This includes analyzing event data from multiple sources, correlating events to identify patterns, and determining the impact of detected anomalies.",[16,478,479,482],{},[20,480,481],{},"Security continuous monitoring (DE.CM)"," - Monitor information systems and assets at regular intervals to detect cybersecurity events and verify the effectiveness of protective measures. This encompasses network monitoring, physical environment monitoring, personnel activity monitoring, malicious code detection, unauthorized mobile code detection, and external service provider activity monitoring.",[16,484,485,488],{},[20,486,487],{},"Detection processes (DE.DP)"," - Maintain and test detection processes and procedures to ensure awareness of anomalous events. Detection roles and responsibilities must be defined, detection activities must comply with applicable requirements, detection processes must be tested, and event detection information must be communicated to appropriate parties.",[86,490,405],{"id":491},"practical-application-2",[16,493,494],{},"The Detect function relies heavily on technology solutions such as SIEM platforms, intrusion detection systems, endpoint detection and response (EDR) tools, and network traffic analysis. However, technology alone is insufficient. Organizations must define what constitutes normal activity, establish alert thresholds, create response playbooks for different detection scenarios, and regularly test their detection capabilities through exercises like red team engagements and tabletop exercises.",[11,496,498],{"id":497},"respond-rs","Respond (RS)",[16,500,501],{},"The Respond function defines activities to take action regarding a detected cybersecurity incident. A well-prepared response capability limits the damage of an incident and supports faster recovery.",[86,503,365],{"id":504},"key-categories-3",[16,506,507,510],{},[20,508,509],{},"Response planning (RS.RP)"," - Develop and maintain incident response plans that are executed during and after an incident. Plans should be documented, assign roles and responsibilities, and be tested regularly through exercises.",[16,512,513,516],{},[20,514,515],{},"Communications (RS.CO)"," - Coordinate response activities with internal and external stakeholders. This includes notifying affected parties, coordinating with law enforcement when appropriate, sharing information with ISACs and other intelligence sharing organizations, and managing public relations.",[16,518,519,522],{},[20,520,521],{},"Analysis (RS.AN)"," - Investigate detected incidents to understand their scope, determine impact, and support forensic analysis. Notifications from detection systems must be investigated, the impact of the incident must be understood, and forensic evidence must be collected and preserved.",[16,524,525,528],{},[20,526,527],{},"Mitigation (RS.MI)"," - Contain the incident to prevent expansion and mitigate its effects. This includes isolating affected systems, implementing temporary countermeasures, and addressing newly identified vulnerabilities.",[16,530,531,534],{},[20,532,533],{},"Improvements (RS.IM)"," - Incorporate lessons learned from detection and response activities into future response plans and strategies. Post-incident reviews should identify what worked, what did not, and what changes are needed.",[86,536,405],{"id":537},"practical-application-3",[16,539,540],{},"Effective incident response requires preparation long before an incident occurs. Organizations should maintain documented response plans, conduct tabletop exercises at least annually, establish communication templates for different incident types, maintain relationships with law enforcement and forensic firms, and test recovery procedures. The Respond function works hand-in-hand with the Detect function -- detection without response capability provides limited value.",[11,542,544],{"id":543},"recover-rc","Recover (RC)",[16,546,547],{},"The Recover function develops and implements activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.",[86,549,365],{"id":550},"key-categories-4",[16,552,553,556],{},[20,554,555],{},"Recovery planning (RC.RP)"," - Develop and maintain recovery plans that are executed during and after an incident. Plans should address the restoration of systems, data, and operations to normal levels within defined recovery time objectives.",[16,558,559,562],{},[20,560,561],{},"Improvements (RC.IM)"," - Incorporate lessons learned from recovery activities into updated recovery strategies. This creates a feedback loop that strengthens resilience over time.",[16,564,565,568],{},[20,566,567],{},"Communications (RC.CO)"," - Manage public relations, repair reputational damage, and communicate recovery activities to internal and external stakeholders. Coordinated communication during recovery maintains trust with customers, partners, and regulators.",[86,570,405],{"id":571},"practical-application-4",[16,573,574],{},"Recovery planning encompasses business continuity planning, disaster recovery procedures, data backup strategies, and communications planning. Organizations should define recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical systems, test backup restoration regularly, and maintain alternate processing capabilities for mission-critical services.",[11,576,578],{"id":577},"how-the-five-functions-work-together","How the five functions work together",[16,580,581],{},"The five functions are not a linear sequence but a continuous cycle. Risk identification informs protective controls, protective controls support detection capabilities, detection triggers response, response enables recovery, and recovery feeds back into improved identification and protection.",[16,583,584,585,589,590,594,595,599,600,604],{},"Organizations using the NIST CSF should assess their maturity across all five functions using ",[257,586,588],{"href":587},"\u002Fframeworks\u002Fnistcsf\u002Fimplementation-tiers","implementation tiers"," and build ",[257,591,593],{"href":592},"\u002Fframeworks\u002Fnistcsf\u002Fframework-profiles","framework profiles"," that capture their current and target states. The five functions also ",[257,596,598],{"href":597},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","map to other frameworks"," like SOC 2, ISO 27001, and ",[257,601,603],{"href":602},"\u002Fframeworks\u002Fpci","PCI DSS",", making them a useful organizing structure for organizations managing multiple compliance requirements.",{"title":284,"searchDepth":285,"depth":285,"links":606},[607,608,612,616,620,624,628],{"id":339,"depth":285,"text":340},{"id":357,"depth":285,"text":358,"children":609},[610,611],{"id":364,"depth":291,"text":365},{"id":404,"depth":291,"text":405},{"id":411,"depth":285,"text":412,"children":613},[614,615],{"id":418,"depth":291,"text":365},{"id":457,"depth":291,"text":405},{"id":463,"depth":285,"text":464,"children":617},[618,619],{"id":470,"depth":291,"text":365},{"id":491,"depth":291,"text":405},{"id":497,"depth":285,"text":498,"children":621},[622,623],{"id":504,"depth":291,"text":365},{"id":537,"depth":291,"text":405},{"id":543,"depth":285,"text":544,"children":625},[626,627],{"id":550,"depth":291,"text":365},{"id":571,"depth":291,"text":405},{"id":577,"depth":285,"text":578},"A detailed exploration of the five core functions of the NIST Cybersecurity Framework -- Identify, Protect, Detect, Respond, and Recover.",null,{},"\u002Fframeworks\u002Fnistcsf\u002Ffive-functions",[634],"grc",[636,326,637],"implementation-tiers","v2-changes",{"title":639,"description":640},"NIST CSF Five Functions - Identify, Protect, Detect, Respond, Recover","Understand the five core NIST CSF functions that organize cybersecurity activities. Learn what each function covers and how they work together.","5.frameworks\u002Fnistcsf\u002Ffive-functions","UKMCkvYY8EuaXD7Ye2itJwTIEwrWdBaTphfOZvfHqb4",{"id":644,"title":645,"body":646,"description":1078,"extension":298,"faq":1079,"frameworkSlug":313,"lastUpdated":314,"meta":1092,"navigation":316,"path":592,"relatedTerms":1093,"relatedTopics":1094,"seo":1097,"stem":1100,"__hash__":1101},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fframework-profiles.md","NIST CSF Framework Profiles",{"type":8,"value":647,"toc":1052},[648,652,655,658,672,675,679,682,686,689,692,706,710,713,739,742,746,749,753,756,823,826,830,833,837,843,853,859,865,871,875,878,881,885,888,892,895,921,925,928,948,952,955,959,962,966,969,973,980,984,987,991,994,998,1004,1007,1010,1014,1017,1049],[11,649,651],{"id":650},"what-is-a-nist-csf-framework-profile","What is a NIST CSF framework profile?",[16,653,654],{},"A framework profile is a customized alignment of the NIST Cybersecurity Framework's functions, categories, and subcategories with your organization's specific business requirements, risk tolerance, and available resources. Profiles provide a mechanism for organizations to tailor the NIST CSF to their unique circumstances rather than treating the framework as a one-size-fits-all checklist.",[16,656,657],{},"The NIST CSF defines two types of profiles:",[97,659,660,666],{},[100,661,662,665],{},[20,663,664],{},"Current profile"," - Describes the cybersecurity outcomes your organization is currently achieving",[100,667,668,671],{},[20,669,670],{},"Target profile"," - Describes the cybersecurity outcomes your organization wants to achieve",[16,673,674],{},"The gap between these two profiles drives your prioritization, investment, and improvement roadmap. This makes profiles one of the most practical and actionable components of the NIST CSF.",[11,676,678],{"id":677},"building-a-current-profile","Building a current profile",[16,680,681],{},"A current profile captures an honest assessment of where your cybersecurity program stands today. It requires input from across the organization, not just the security team.",[86,683,685],{"id":684},"step-1-select-relevant-subcategories","Step 1 - Select relevant subcategories",[16,687,688],{},"The NIST CSF contains 108 subcategories across the five core functions (Identify, Protect, Detect, Respond, Recover). Not all subcategories are equally relevant to every organization. Start by reviewing each subcategory and determining whether it applies to your business context.",[16,690,691],{},"Consider:",[97,693,694,697,700,703],{},[100,695,696],{},"Your industry and regulatory requirements (healthcare organizations will prioritize different subcategories than financial services firms)",[100,698,699],{},"Your technology environment (cloud-native organizations face different risks than those with primarily on-premises infrastructure)",[100,701,702],{},"Your threat landscape (organizations handling sensitive data face different threats than those primarily concerned with availability)",[100,704,705],{},"Your supply chain complexity",[86,707,709],{"id":708},"step-2-assess-current-state-for-each-subcategory","Step 2 - Assess current state for each subcategory",[16,711,712],{},"For each relevant subcategory, assess your current implementation level. Many organizations use a simple rating scale:",[97,714,715,721,727,733],{},[100,716,717,720],{},[20,718,719],{},"Not implemented"," - No activity or controls are in place for this subcategory",[100,722,723,726],{},[20,724,725],{},"Partially implemented"," - Some controls exist but are inconsistent, undocumented, or incomplete",[100,728,729,732],{},[20,730,731],{},"Largely implemented"," - Controls are in place and documented but may have gaps or are not regularly reviewed",[100,734,735,738],{},[20,736,737],{},"Fully implemented"," - Controls are documented, consistently applied, regularly tested, and subject to continuous improvement",[16,740,741],{},"Document the evidence supporting each assessment. This evidence will be valuable for gap analysis and for demonstrating progress over time.",[86,743,745],{"id":744},"step-3-document-findings","Step 3 - Document findings",[16,747,748],{},"Compile the assessment into a structured document or tool that maps each subcategory to its current state, supporting evidence, and any known gaps. The current profile should be reviewed and endorsed by senior leadership to ensure organizational alignment.",[86,750,752],{"id":751},"example-assessment","Example assessment",[16,754,755],{},"For the Identify function, Asset Management category:",[38,757,758,771],{},[41,759,760],{},[44,761,762,765,768],{},[47,763,764],{},"Subcategory",[47,766,767],{},"Description",[47,769,770],{},"Current state",[57,772,773,783,793,803,813],{},[44,774,775,778,781],{},[62,776,777],{},"ID.AM-1",[62,779,780],{},"Physical devices and systems are inventoried",[62,782,731],{},[44,784,785,788,791],{},[62,786,787],{},"ID.AM-2",[62,789,790],{},"Software platforms and applications are inventoried",[62,792,725],{},[44,794,795,798,801],{},[62,796,797],{},"ID.AM-3",[62,799,800],{},"Organizational communication and data flows are mapped",[62,802,719],{},[44,804,805,808,811],{},[62,806,807],{},"ID.AM-4",[62,809,810],{},"External information systems are catalogued",[62,812,725],{},[44,814,815,818,821],{},[62,816,817],{},"ID.AM-5",[62,819,820],{},"Resources are prioritized based on classification and business value",[62,822,725],{},[16,824,825],{},"This granular view reveals specific areas needing attention rather than painting the entire function with a single broad assessment.",[11,827,829],{"id":828},"building-a-target-profile","Building a target profile",[16,831,832],{},"The target profile defines where your organization needs to be. It should be driven by business objectives, regulatory requirements, and risk tolerance rather than by the aspiration to achieve the highest possible maturity in every subcategory.",[86,834,836],{"id":835},"inputs-for-target-profile-development","Inputs for target profile development",[16,838,839,842],{},[20,840,841],{},"Business objectives"," - What are the organization's strategic priorities? A company planning rapid growth in e-commerce will have different cybersecurity priorities than one focused on operational efficiency in manufacturing.",[16,844,845,848,849,852],{},[20,846,847],{},"Regulatory requirements"," - What compliance frameworks must you meet? If you need ",[257,850,851],{"href":602},"PCI DSS compliance",", your target profile should ensure that subcategories relevant to PCI DSS requirements are rated at full implementation. If you operate in healthcare, HIPAA requirements will shape your targets.",[16,854,855,858],{},[20,856,857],{},"Risk tolerance"," - How much cybersecurity risk is the organization willing to accept? This is a business decision, not a technical one. Risk-averse organizations (financial institutions, defense contractors) will set higher targets than organizations with lower risk profiles.",[16,860,861,864],{},[20,862,863],{},"Resource constraints"," - What budget, personnel, and technology resources are available? Target profiles must be realistic. Setting targets that far exceed available resources creates an unachievable plan that will be ignored.",[16,866,867,870],{},[20,868,869],{},"Threat intelligence"," - What threats are most relevant to your industry and organization? Prioritize subcategories that address the threats most likely to materialize and cause the greatest impact.",[86,872,874],{"id":873},"setting-target-levels","Setting target levels",[16,876,877],{},"For each relevant subcategory, define the desired implementation level. Not every subcategory needs to reach \"fully implemented.\" Some subcategories may appropriately remain at \"partially implemented\" if the risk is low and the cost of full implementation is high.",[16,879,880],{},"Target profiles should include timelines. A three-year target profile might set interim milestones at six months, one year, and two years, allowing the organization to track progress and adjust priorities as conditions change.",[11,882,884],{"id":883},"conducting-gap-analysis","Conducting gap analysis",[16,886,887],{},"The gap between your current profile and target profile is your cybersecurity improvement roadmap. Effective gap analysis translates abstract assessments into actionable work.",[86,889,891],{"id":890},"prioritizing-gaps","Prioritizing gaps",[16,893,894],{},"Not all gaps are equal. Prioritize based on:",[150,896,897,903,909,915],{},[100,898,899,902],{},[20,900,901],{},"Risk impact"," - Gaps in subcategories that address your most significant risks should receive the highest priority. A gap in incident response planning for an organization that has already experienced a breach is more urgent than a gap in physical security awareness training.",[100,904,905,908],{},[20,906,907],{},"Regulatory urgency"," - Gaps that create compliance violations carry immediate consequences. If you are pursuing SOC 2 and your current profile shows gaps in monitoring and logging subcategories, those gaps need prompt attention.",[100,910,911,914],{},[20,912,913],{},"Implementation effort"," - Some gaps can be closed quickly with modest investment (enabling MFA, updating policies), while others require significant time and resources (deploying a SIEM, building a security operations center). Quick wins build momentum and demonstrate progress.",[100,916,917,920],{},[20,918,919],{},"Dependency chains"," - Some improvements depend on others. You cannot implement effective monitoring (Detect function) without first having an accurate asset inventory (Identify function). Map dependencies and sequence your improvements accordingly.",[86,922,924],{"id":923},"creating-an-action-plan","Creating an action plan",[16,926,927],{},"For each prioritized gap, document:",[97,929,930,933,936,939,942,945],{},[100,931,932],{},"The specific subcategory and the gap between current and target states",[100,934,935],{},"The actions required to close the gap (technical implementations, process changes, training programs)",[100,937,938],{},"The resources required (budget, personnel, tools)",[100,940,941],{},"The responsible owner",[100,943,944],{},"The target completion date",[100,946,947],{},"How success will be measured",[86,949,951],{"id":950},"tracking-progress","Tracking progress",[16,953,954],{},"Gap analysis is not a one-time activity. Reassess your current profile at regular intervals (quarterly or semi-annually) to track progress, identify new gaps introduced by changes in your environment, and adjust priorities based on evolving threats and business needs.",[11,956,958],{"id":957},"customizing-profiles-for-your-organization","Customizing profiles for your organization",[16,960,961],{},"The NIST CSF is deliberately flexible, and profiles are the primary mechanism for customization. Several strategies can help you build profiles that are practical and valuable.",[86,963,965],{"id":964},"industry-specific-profiles","Industry-specific profiles",[16,967,968],{},"The NIST CSF encourages the creation of sector-specific profiles that reflect the unique risks and requirements of particular industries. Several sector-specific profiles already exist, including profiles for manufacturing, maritime, and energy sectors. These can serve as starting points for your organization's profile development.",[86,970,972],{"id":971},"regulatory-mapping","Regulatory mapping",[16,974,975,976,979],{},"Map your profile subcategories to your specific regulatory requirements. If you must comply with multiple frameworks, your target profile should incorporate the most stringent requirement for each subcategory. The ",[257,977,978],{"href":597},"mapping to other frameworks"," topic covers how NIST CSF aligns with SOC 2, ISO 27001, HIPAA, and PCI DSS.",[86,981,983],{"id":982},"organizational-context","Organizational context",[16,985,986],{},"Customize profiles based on your organizational structure. Large enterprises may create multiple profiles for different business units, each reflecting the unit's specific risk environment and regulatory requirements. A retail division handling payment data will have a different profile than a corporate shared services division.",[86,988,990],{"id":989},"stakeholder-communication","Stakeholder communication",[16,992,993],{},"Profiles are powerful communication tools. Executive-level summaries should highlight the overall gap position and the business risk associated with the most critical gaps. Technical teams need detailed subcategory-level assessments and action plans. Board reporting should focus on trends over time and the alignment between cybersecurity investments and risk reduction.",[11,995,997],{"id":996},"profiles-and-implementation-tiers","Profiles and implementation tiers",[16,999,1000,1001,1003],{},"Framework profiles and ",[257,1002,588],{"href":587}," work together but serve different purposes. Tiers describe how your organization approaches cybersecurity risk management (from ad hoc to adaptive), while profiles describe what cybersecurity outcomes you achieve.",[16,1005,1006],{},"An organization at Tier 2 (Risk Informed) might have a current profile that shows strong implementation in some subcategories and weak implementation in others. The tier reflects the overall maturity of the risk management process, while the profile provides the granular detail about specific capabilities.",[16,1008,1009],{},"Your target tier and target profile should be aligned. If you are progressing from Tier 2 to Tier 3, your target profile should reflect the systematic, policy-driven approach to cybersecurity that characterizes Tier 3 organizations. Conversely, if your target profile calls for advanced capabilities in detection and response, you likely need to be operating at Tier 3 or higher to sustain those capabilities.",[11,1011,1013],{"id":1012},"maintaining-profiles-over-time","Maintaining profiles over time",[16,1015,1016],{},"Profiles are living documents that should evolve with your organization. Review and update profiles when:",[97,1018,1019,1025,1031,1037,1043],{},[100,1020,1021,1024],{},[20,1022,1023],{},"Significant business changes occur"," - mergers, acquisitions, new product lines, or market entry",[100,1026,1027,1030],{},[20,1028,1029],{},"The threat landscape shifts"," - new attack techniques, emerging vulnerabilities, or intelligence indicating heightened risk",[100,1032,1033,1036],{},[20,1034,1035],{},"Regulatory requirements change"," - new laws, updated standards, or audit findings",[100,1038,1039,1042],{},[20,1040,1041],{},"Technology changes"," - cloud migration, new platforms, or decommissioning of legacy systems",[100,1044,1045,1048],{},[20,1046,1047],{},"After security incidents"," - lessons learned should feed directly into updated current and target profiles",[16,1050,1051],{},"By treating profiles as dynamic tools rather than static documents, organizations can maintain an accurate view of their cybersecurity posture and ensure that improvement efforts remain aligned with current business needs and risks.",{"title":284,"searchDepth":285,"depth":285,"links":1053},[1054,1055,1061,1065,1070,1076,1077],{"id":650,"depth":285,"text":651},{"id":677,"depth":285,"text":678,"children":1056},[1057,1058,1059,1060],{"id":684,"depth":291,"text":685},{"id":708,"depth":291,"text":709},{"id":744,"depth":291,"text":745},{"id":751,"depth":291,"text":752},{"id":828,"depth":285,"text":829,"children":1062},[1063,1064],{"id":835,"depth":291,"text":836},{"id":873,"depth":291,"text":874},{"id":883,"depth":285,"text":884,"children":1066},[1067,1068,1069],{"id":890,"depth":291,"text":891},{"id":923,"depth":291,"text":924},{"id":950,"depth":291,"text":951},{"id":957,"depth":285,"text":958,"children":1071},[1072,1073,1074,1075],{"id":964,"depth":291,"text":965},{"id":971,"depth":291,"text":972},{"id":982,"depth":291,"text":983},{"id":989,"depth":291,"text":990},{"id":996,"depth":285,"text":997},{"id":1012,"depth":285,"text":1013},"How to use NIST CSF framework profiles to assess your current cybersecurity posture, define target states, perform gap analysis, and customize the framework.",{"items":1080},[1081,1083,1086,1089],{"label":651,"content":1082},"A framework profile is a customized alignment of the NIST CSF's functions, categories, and subcategories with your organization's specific business requirements and risk tolerance. The CSF defines two profile types: a current profile (where you are now) and a target profile (where you want to be). The gap between them drives your improvement roadmap.",{"label":1084,"content":1085},"How do I build a current profile?","Start by selecting the NIST CSF subcategories relevant to your organization, then assess each one using a maturity scale (not implemented, partially implemented, largely implemented, fully implemented). Document the evidence supporting each assessment and have senior leadership review and endorse the results.",{"label":1087,"content":1088},"What is the difference between profiles and implementation tiers?","Profiles describe what cybersecurity outcomes you achieve at a granular subcategory level. Implementation tiers describe how your organization approaches cybersecurity risk management overall (from ad hoc to adaptive). An organization at Tier 2 might still have some subcategories at full implementation — profiles give that detail.",{"label":1090,"content":1091},"How often should I update NIST CSF profiles?","Reassess your current profile quarterly or semi-annually. Additionally, update profiles when significant business changes occur (mergers, new product lines), the threat landscape shifts, regulatory requirements change, technology changes (cloud migration), or after security incidents.",{},[634],[1095,636,1096],"five-functions","mapping-to-other-frameworks",{"title":1098,"description":1099},"NIST CSF Framework Profiles: Build Current & Target State Gap Analysis","Step-by-step guide to building NIST CSF framework profiles — assess your current cybersecurity posture, define target states, and prioritize improvements.","5.frameworks\u002Fnistcsf\u002Fframework-profiles","k8BTWrVwkOqcQOqIEgaK29gs9zbopmkOpc3SleT9Lu4",{"id":1103,"title":1104,"body":1105,"description":1392,"extension":298,"faq":1393,"frameworkSlug":313,"lastUpdated":314,"meta":1407,"navigation":316,"path":1408,"relatedTerms":1409,"relatedTopics":1412,"seo":1414,"stem":1417,"__hash__":1418},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fgovern-function.md","NIST CSF Govern Function",{"type":8,"value":1106,"toc":1377},[1107,1111,1117,1120,1123,1126,1130,1133,1147,1150,1154,1157,1237,1241,1244,1248,1251,1255,1258,1262,1265,1269,1272,1276,1279,1281,1284,1322,1325,1327,1330,1362,1364,1367],[11,1108,1110],{"id":1109},"what-is-the-nist-csf-govern-function","What is the NIST CSF Govern function?",[16,1112,18,1113,1116],{},[20,1114,1115],{},"Govern (GV) function"," is the newest and arguably most consequential addition to NIST CSF 2.0. It represents a fundamental shift in how NIST wants organizations to think about cybersecurity: not as a technical program owned by IT, but as an enterprise risk discipline owned by the executive team and the board.",[16,1118,1119],{},"In NIST CSF 1.1, governance was a single category — ID.GV — tucked inside the Identify function alongside Asset Management, Business Environment, and Risk Assessment. In practice, that placement caused the problem NIST was trying to solve. Organizations treated governance as a box to check during an initial Identify exercise, then drifted into the Protect and Detect functions where the \"real\" cybersecurity work seemed to happen. Policies got stale, roles and responsibilities were vague, supply chain risk was handled reactively, and leadership had no structured way to set cybersecurity priorities or hold the program accountable.",[16,1121,1122],{},"NIST CSF 2.0 fixes that by pulling governance out of Identify and making it a top-level function that sits above the original five. Govern now frames every other function. It asks: what is the organization's mission? Who are our stakeholders? What is our risk appetite? Who is accountable for cybersecurity outcomes? What policies govern our behavior? How do we oversee our own cybersecurity performance? How do we manage cybersecurity risk in our supply chain?",[16,1124,1125],{},"Govern is where cybersecurity strategy is made. Identify, Protect, Detect, Respond, and Recover are where that strategy is executed.",[11,1127,1129],{"id":1128},"why-nist-added-the-govern-function","Why NIST added the Govern function",[16,1131,1132],{},"NIST spent more than a year gathering feedback from thousands of stakeholders before publishing NIST CSF 2.0. The feedback about governance was strikingly consistent:",[97,1134,1135,1138,1141,1144],{},[100,1136,1137],{},"Executives did not know how to translate cybersecurity risk into business decisions.",[100,1139,1140],{},"Boards were under growing regulatory pressure (SEC cybersecurity disclosure rules, state-level privacy laws, DORA in the EU) to demonstrate cybersecurity oversight, but the original NIST CSF gave them little to oversee.",[100,1142,1143],{},"Supply chain attacks — SolarWinds, Kaseya, Log4j, MOVEit — exposed the limits of treating third-party risk as a subcategory of Identify.",[100,1145,1146],{},"Mature organizations told NIST that their real differentiator was not a specific tool or control; it was the governance fabric that made every other control stick.",[16,1148,1149],{},"By elevating governance, NIST acknowledged that cybersecurity programs fail at the top, not at the bottom. The Govern function gives leadership an explicit mandate and gives practitioners a structured way to request the executive engagement that mature programs require.",[11,1151,1153],{"id":1152},"the-six-categories-of-the-govern-function","The six categories of the Govern function",[16,1155,1156],{},"The Govern function contains six categories. Each category has several subcategories expressed as outcome statements. Below is a concise map.",[38,1158,1159,1169],{},[41,1160,1161],{},[44,1162,1163,1165,1167],{},[47,1164,49],{},[47,1166,52],{},[47,1168,55],{},[57,1170,1171,1182,1193,1204,1215,1226],{},[44,1172,1173,1176,1179],{},[62,1174,1175],{},"Organizational Context",[62,1177,1178],{},"GV.OC",[62,1180,1181],{},"Mission, stakeholders, legal and regulatory requirements, critical dependencies",[44,1183,1184,1187,1190],{},[62,1185,1186],{},"Risk Management Strategy",[62,1188,1189],{},"GV.RM",[62,1191,1192],{},"Risk appetite, risk tolerance, risk assumptions, and cybersecurity strategy",[44,1194,1195,1198,1201],{},[62,1196,1197],{},"Roles, Responsibilities, and Authorities",[62,1199,1200],{},"GV.RR",[62,1202,1203],{},"Defined cybersecurity roles, accountability, resources, and performance",[44,1205,1206,1209,1212],{},[62,1207,1208],{},"Policy",[62,1210,1211],{},"GV.PO",[62,1213,1214],{},"Cybersecurity policies, standards, and procedures that guide the program",[44,1216,1217,1220,1223],{},[62,1218,1219],{},"Oversight",[62,1221,1222],{},"GV.OV",[62,1224,1225],{},"Monitoring and adjusting the strategy based on performance data",[44,1227,1228,1231,1234],{},[62,1229,1230],{},"Cybersecurity Supply Chain Risk Management",[62,1232,1233],{},"GV.SC",[62,1235,1236],{},"Third-party, supplier, and software supply chain cybersecurity risk",[86,1238,1240],{"id":1239},"organizational-context-gvoc","Organizational Context (GV.OC)",[16,1242,1243],{},"GV.OC sets the frame for everything else. It requires the organization to understand its own mission, stakeholders, objectives, legal and regulatory obligations, and the critical dependencies that must be protected. An e-commerce company, a hospital network, and a defense contractor will have radically different organizational contexts, and therefore radically different cybersecurity priorities. Without a documented GV.OC, cybersecurity decisions devolve into generic best-practice lists disconnected from business reality.",[86,1245,1247],{"id":1246},"risk-management-strategy-gvrm","Risk Management Strategy (GV.RM)",[16,1249,1250],{},"GV.RM moves risk management strategy from its former home in the Identify function (ID.RM) to the Govern function. The shift is symbolic and operational: risk appetite, risk tolerance, and the overall cybersecurity risk strategy are governance decisions, not operational ones. GV.RM requires leadership to articulate how much cybersecurity risk the organization is willing to accept, how that risk aligns with business objectives, and how risk decisions will be documented.",[86,1252,1254],{"id":1253},"roles-responsibilities-and-authorities-gvrr","Roles, Responsibilities, and Authorities (GV.RR)",[16,1256,1257],{},"GV.RR formalizes the organizational structure of cybersecurity accountability. It requires clear assignment of cybersecurity roles — CISO, security engineers, IT operations, HR, legal, internal audit — and defines the authority each role has to make decisions, commit resources, and enforce policy. GV.RR also covers cybersecurity performance management: how the organization reviews cybersecurity talent, rewards strong performance, and addresses gaps.",[86,1259,1261],{"id":1260},"policy-gvpo","Policy (GV.PO)",[16,1263,1264],{},"GV.PO governs the cybersecurity policy library itself. Policies must be established, communicated, enforced, and periodically updated. GV.PO asks whether the organization's cybersecurity policies are current, whether employees actually read and follow them, and whether policy exceptions are logged and reviewed. A dusty policy PDF nobody has read since onboarding fails GV.PO even if it technically exists.",[86,1266,1268],{"id":1267},"oversight-gvov","Oversight (GV.OV)",[16,1270,1271],{},"GV.OV creates the feedback loop between operational cybersecurity activity and executive decision-making. It requires that the results of cybersecurity activities — incidents, audit findings, risk assessments, control performance — feed back into the risk management strategy and are used to adjust priorities, investments, and policies. Without GV.OV, Govern becomes a one-time documentation exercise instead of a living management system.",[86,1273,1275],{"id":1274},"cybersecurity-supply-chain-risk-management-gvsc","Cybersecurity Supply Chain Risk Management (GV.SC)",[16,1277,1278],{},"GV.SC is where NIST CSF 2.0 confronts the modern reality that most organizations' biggest cybersecurity exposures are not in their own infrastructure but in their suppliers, software vendors, managed service providers, and open-source dependencies. GV.SC covers supplier due diligence, contractual cybersecurity requirements, ongoing monitoring of supplier cybersecurity posture, and contingency plans for supplier disruption. GV.SC is one of the largest category expansions in NIST CSF 2.0.",[11,1280,145],{"id":144},[16,1282,1283],{},"A pragmatic path to implementing the Govern function looks like this:",[150,1285,1286,1292,1298,1304,1310,1316],{},[100,1287,1288,1291],{},[20,1289,1290],{},"Draft a one-page organizational context statement."," Capture mission, critical services, key stakeholders, and top regulatory obligations. This becomes the seed document for GV.OC.",[100,1293,1294,1297],{},[20,1295,1296],{},"Have leadership sign off on a risk appetite statement."," Two or three sentences that describe how much cybersecurity risk the organization is willing to take, expressed in business terms. This anchors GV.RM.",[100,1299,1300,1303],{},[20,1301,1302],{},"Publish a cybersecurity RACI."," Who is responsible, accountable, consulted, and informed for each major cybersecurity activity? This anchors GV.RR.",[100,1305,1306,1309],{},[20,1307,1308],{},"Take inventory of policies."," List every cybersecurity-related policy, its owner, its last review date, and its next review date. Retire policies that are redundant. This anchors GV.PO.",[100,1311,1312,1315],{},[20,1313,1314],{},"Establish a recurring oversight cadence."," Monthly or quarterly, leadership reviews cybersecurity metrics, incidents, risks, and initiative progress. This anchors GV.OV.",[100,1317,1318,1321],{},[20,1319,1320],{},"Build a third-party risk program."," Start with a vendor inventory, tier vendors by criticality, and implement due diligence for the top tier. This anchors GV.SC.",[16,1323,1324],{},"Govern does not require a massive investment up front. It requires a small amount of leadership discipline applied consistently over time.",[11,1326,197],{"id":196},[16,1328,1329],{},"The Govern function is simple in concept and difficult in practice. Organizations running into trouble with Govern typically hit one or more of the following walls:",[97,1331,1332,1338,1344,1350,1356],{},[100,1333,1334,1337],{},[20,1335,1336],{},"Executive disengagement."," Govern demands executive attention. If the CEO or board treats cybersecurity as an IT problem, Govern will stall. The fix is structural — schedule standing cybersecurity reviews, tie executive incentives to cybersecurity outcomes, and brief the board with the language of business risk.",[100,1339,1340,1343],{},[20,1341,1342],{},"Policy sprawl."," Many organizations have dozens of overlapping policies nobody reads. GV.PO fails when policies are written for auditors rather than employees. Consolidate, simplify, and translate into the everyday language employees use.",[100,1345,1346,1349],{},[20,1347,1348],{},"Supplier opacity."," GV.SC requires visibility into suppliers you may not fully control. Start with the critical few, get contractual rights to audit and monitor, and add more suppliers over time.",[100,1351,1352,1355],{},[20,1353,1354],{},"Siloed risk programs."," Govern often duplicates work already happening in enterprise risk management, internal audit, or legal. Integrate rather than re-create. GV.RM should draw from the enterprise risk register, not a parallel one.",[100,1357,1358,1361],{},[20,1359,1360],{},"Metrics without meaning."," GV.OV only works if the metrics tell leadership something decision-relevant. Replace vanity metrics (patches installed, tickets closed) with outcome metrics (time to detect, time to recover, risk-adjusted loss).",[11,1363,252],{"id":251},[16,1365,1366],{},"episki was built to operate the Govern function as a living system rather than a static binder. Organizational context, risk appetite, roles and responsibilities, policies, oversight cadence, and supplier risk are first-class objects in episki, linked to the underlying NIST CSF subcategories and to every other framework the organization cares about. Policy reviews, supplier re-assessments, and oversight meetings become scheduled workflows with owners, due dates, and audit-ready evidence. Leadership sees a real-time Govern scorecard; practitioners see the concrete initiatives that roll up to it.",[16,1368,1369,1370,276,1373,1376],{},"Ready to operationalize the NIST CSF Govern function without the binder? ",[257,1371,275],{"href":272,"rel":1372},[274],[257,1374,281],{"href":279,"rel":1375},[274]," and share a Govern function scorecard with your leadership team the same day.",{"title":284,"searchDepth":285,"depth":285,"links":1378},[1379,1380,1381,1389,1390,1391],{"id":1109,"depth":285,"text":1110},{"id":1128,"depth":285,"text":1129},{"id":1152,"depth":285,"text":1153,"children":1382},[1383,1384,1385,1386,1387,1388],{"id":1239,"depth":291,"text":1240},{"id":1246,"depth":291,"text":1247},{"id":1253,"depth":291,"text":1254},{"id":1260,"depth":291,"text":1261},{"id":1267,"depth":291,"text":1268},{"id":1274,"depth":291,"text":1275},{"id":144,"depth":285,"text":145},{"id":196,"depth":285,"text":197},{"id":251,"depth":285,"text":252},"A complete guide to the NIST CSF 2.0 Govern function — its six categories (OC, RM, RR, PO, OV, SC), why NIST added it, and how to implement it.",{"items":1394},[1395,1398,1401,1404],{"label":1396,"content":1397},"Why did NIST add the Govern function in CSF 2.0?","NIST added the Govern function because organizations using CSF 1.1 consistently under-invested in governance. Governance was a single category (ID.GV) buried inside Identify, and it rarely got leadership attention. Elevating Govern to a top-level function forces cybersecurity governance onto the executive agenda and acknowledges that sustained cybersecurity outcomes depend on leadership, policy, and risk management strategy.",{"label":1399,"content":1400},"What are the six categories of the Govern function?","The six Govern categories are Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles, Responsibilities, and Authorities (GV.RR), Policy (GV.PO), Oversight (GV.OV), and Cybersecurity Supply Chain Risk Management (GV.SC).",{"label":1402,"content":1403},"Who is accountable for the Govern function?","The Govern function is owned by senior leadership — typically the CEO, board, CISO, or an executive risk committee. While operational teams contribute evidence and execute policies, accountability for cybersecurity governance cannot be delegated below the executive layer. Boards and audit committees increasingly review Govern function performance as part of their cybersecurity oversight duties.",{"label":1405,"content":1406},"How does Govern relate to the other NIST CSF functions?","Govern sits above the other five functions. Organizational context, risk appetite, policies, and oversight set in Govern flow downward into how Identify, Protect, Detect, Respond, and Recover are operated. Data from those operational functions flows back up into Govern to adjust strategy and investment.",{},"\u002Fframeworks\u002Fnistcsf\u002Fgovern-function",[634,1410,1411],"control-framework","risk-management",[637,1413,326,1096],"identify-function",{"title":1415,"description":1416},"NIST CSF Govern Function (GV): Categories, Subcategories, and Implementation","The NIST CSF 2.0 Govern function elevates cybersecurity governance to a top-level function. Learn GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, and GV.SC and how to implement each.","5.frameworks\u002Fnistcsf\u002Fgovern-function","PBdP1PRH37sHMj2-HtmpalYABltkFICfHKKzbRie6Lk",{"id":1420,"title":1421,"body":1422,"description":1690,"extension":298,"faq":1691,"frameworkSlug":313,"lastUpdated":314,"meta":1705,"navigation":316,"path":1706,"relatedTerms":1707,"relatedTopics":1709,"seo":1710,"stem":1713,"__hash__":1714},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fidentify-function.md","NIST CSF Identify Function",{"type":8,"value":1423,"toc":1678},[1424,1428,1434,1437,1440,1444,1447,1466,1469,1473,1520,1526,1530,1533,1536,1561,1565,1568,1571,1575,1578,1580,1583,1621,1623,1626,1658,1660,1668],[11,1425,1427],{"id":1426},"what-is-the-nist-csf-identify-function","What is the NIST CSF Identify function?",[16,1429,18,1430,1433],{},[20,1431,1432],{},"Identify (ID) function"," is where a NIST CSF program begins. Its purpose is to develop an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is not glamorous — no dashboards full of blocked attacks, no incident response war rooms — but it is the function that determines whether every other function has something coherent to act on.",[16,1435,1436],{},"You cannot protect an asset you do not know you own. You cannot detect anomalies in a data flow you have never mapped. You cannot respond to an incident without knowing which systems are critical. You cannot recover what you have not inventoried. Identify is the groundwork that makes the Protect, Detect, Respond, and Recover functions possible, and it is the input that feeds the Govern function's risk management strategy.",[16,1438,1439],{},"Identify is also the function most often shortchanged. Teams rush into Protect because controls feel tangible, and they discover months later that their scope was wrong, their risk register was stale, and their supply chain exposure was invisible. Mature organizations invest heavily and continuously in Identify.",[11,1441,1443],{"id":1442},"how-identify-changed-in-nist-csf-20","How Identify changed in NIST CSF 2.0",[16,1445,1446],{},"NIST CSF 2.0 restructured the Identify function. Two of the original Identify categories moved to the new Govern function:",[97,1448,1449,1454,1460],{},[100,1450,1451,1453],{},[20,1452,382],{}," was elevated to the Govern function and split into GV.OC, GV.RR, GV.PO, and GV.OV.",[100,1455,1456,1459],{},[20,1457,1458],{},"Risk Management Strategy (ID.RM)"," became GV.RM.",[100,1461,1462,1465],{},[20,1463,1464],{},"Supply Chain Risk Management (ID.SC)"," moved to GV.SC.",[16,1467,1468],{},"What remains in Identify is tightly focused on knowing what you have and what is at risk: Asset Management, Risk Assessment, and Improvement. The Business Environment outcomes from CSF 1.1 were folded into GV.OC but continue to inform Identify activities. The result is a leaner, more operationally focused Identify function that pairs cleanly with the strategic Govern function above it.",[11,1470,1472],{"id":1471},"the-categories-of-the-identify-function","The categories of the Identify function",[38,1474,1475,1485],{},[41,1476,1477],{},[44,1478,1479,1481,1483],{},[47,1480,49],{},[47,1482,52],{},[47,1484,55],{},[57,1486,1487,1498,1509],{},[44,1488,1489,1492,1495],{},[62,1490,1491],{},"Asset Management",[62,1493,1494],{},"ID.AM",[62,1496,1497],{},"Inventory of hardware, software, systems, data, and external dependencies",[44,1499,1500,1503,1506],{},[62,1501,1502],{},"Risk Assessment",[62,1504,1505],{},"ID.RA",[62,1507,1508],{},"Identification, analysis, and prioritization of cybersecurity risks",[44,1510,1511,1514,1517],{},[62,1512,1513],{},"Improvement",[62,1515,1516],{},"ID.IM",[62,1518,1519],{},"Lessons learned from assessments, tests, and incidents feed program improvements",[16,1521,1522],{},[1523,1524,1525],"em",{},"In NIST CSF 1.1 the Identify function also included Business Environment (ID.BE), Governance (ID.GV), Risk Management Strategy (ID.RM), and Supply Chain Risk Management (ID.SC). Those outcomes now live in the Govern function in NIST CSF 2.0.",[86,1527,1529],{"id":1528},"asset-management-idam","Asset Management (ID.AM)",[16,1531,1532],{},"ID.AM is the most foundational category in the entire NIST Cybersecurity Framework. It requires the organization to identify and manage all of the assets that enable it to achieve its business purposes, consistent with their relative importance to business objectives and the organization's risk strategy. Assets include physical devices, operating systems and applications, data, personnel, and external systems the organization depends on.",[16,1534,1535],{},"Practical ID.AM outcomes include:",[97,1537,1538,1541,1544,1552,1555,1558],{},[100,1539,1540],{},"A current inventory of hardware and physical devices.",[100,1542,1543],{},"A current inventory of software platforms and applications, including open-source components and SaaS subscriptions.",[100,1545,1546,1547,1551],{},"An inventory of data classified by sensitivity and regulatory obligation, linked to the systems that store and process it. (See our ",[257,1548,1550],{"href":1549},"\u002Fglossary\u002Fdata-classification","data classification"," primer.)",[100,1553,1554],{},"A map of communication and data flows — which systems talk to which, over which protocols, across which trust boundaries.",[100,1556,1557],{},"An inventory of external information systems the organization depends on, including suppliers, SaaS vendors, and managed services.",[100,1559,1560],{},"Prioritization of assets by criticality so that Protect, Detect, Respond, and Recover can focus on what matters most.",[86,1562,1564],{"id":1563},"risk-assessment-idra","Risk Assessment (ID.RA)",[16,1566,1567],{},"ID.RA is where the organization systematically identifies, analyzes, and prioritizes cybersecurity risks. ID.RA covers threat intelligence collection and analysis, vulnerability identification, likelihood and impact analysis, and risk determination. A mature ID.RA program produces a prioritized risk register that feeds directly into the Govern function's risk management strategy (GV.RM) and drives investment decisions across the other functions.",[16,1569,1570],{},"ID.RA is not a one-time activity. Threats evolve, the business changes, and new vulnerabilities are disclosed daily. Risk assessments should be refreshed on a regular cadence and triggered by significant events — major system changes, acquisitions, new product launches, or significant incidents.",[86,1572,1574],{"id":1573},"improvement-idim","Improvement (ID.IM)",[16,1576,1577],{},"ID.IM is new in NIST CSF 2.0. It captures the outcomes associated with continuous improvement of the cybersecurity program based on assessments, tests, exercises, incidents, and audits. ID.IM asks whether the organization systematically captures lessons learned and translates them into updated policies, controls, and practices. Without ID.IM, the NIST Cybersecurity Framework stops evolving with the organization.",[11,1579,145],{"id":144},[16,1581,1582],{},"A pragmatic sequence for building out the Identify function:",[150,1584,1585,1591,1597,1603,1609,1615],{},[100,1586,1587,1590],{},[20,1588,1589],{},"Pick an authoritative asset system of record."," Choose one tool (a CMDB, an endpoint management platform, or a cloud asset inventory) as the source of truth. Integrate data from other tools into it rather than maintaining parallel inventories.",[100,1592,1593,1596],{},[20,1594,1595],{},"Classify data."," Map every sensitive data type to the systems that store and process it. Link data classification to regulatory obligations (HIPAA, PCI DSS, GDPR, CUI) captured in the Govern function.",[100,1598,1599,1602],{},[20,1600,1601],{},"Draw a data flow diagram."," Even a rough diagram beats no diagram. Iterate it over time.",[100,1604,1605,1608],{},[20,1606,1607],{},"Build a prioritized risk register."," Begin with qualitative scoring (high \u002F medium \u002F low) and mature toward quantitative methods over time. Use the risk register as the single place where business, compliance, and engineering risks live.",[100,1610,1611,1614],{},[20,1612,1613],{},"Schedule formal risk assessments."," Pick a cadence (quarterly for dynamic environments, annually for stable ones) and stick to it. Trigger ad-hoc assessments after major changes.",[100,1616,1617,1620],{},[20,1618,1619],{},"Close the improvement loop."," After every audit, tabletop exercise, penetration test, or incident, capture lessons learned in ID.IM and feed them back into policy and control updates.",[11,1622,197],{"id":196},[16,1624,1625],{},"Identify fails for a handful of recurring reasons:",[97,1627,1628,1634,1640,1646,1652],{},[100,1629,1630,1633],{},[20,1631,1632],{},"Shadow IT and shadow SaaS."," Employees adopt tools the security team never sees. ID.AM erodes continuously unless the organization has a discovery and procurement process that catches new SaaS and cloud accounts early.",[100,1635,1636,1639],{},[20,1637,1638],{},"Inventory without criticality."," A 50,000-row CMDB is useless if every asset has the same priority. ID.AM must include criticality scoring that drives where Protect and Detect resources are applied.",[100,1641,1642,1645],{},[20,1643,1644],{},"Risk register as a spreadsheet graveyard."," Registers maintained in static spreadsheets drift out of date within weeks. Treat the risk register as a living artifact with owners, due dates, and review cadences.",[100,1647,1648,1651],{},[20,1649,1650],{},"Disconnected data classification."," Data classification schemes that nobody uses are common. Tie classification to access control, encryption, and DLP decisions so that the classification actually changes behavior.",[100,1653,1654,1657],{},[20,1655,1656],{},"Identify as a one-off project."," Many organizations treat Identify as a project to finish rather than a continuous capability. NIST CSF 2.0's ID.IM category is a deliberate counterweight.",[11,1659,252],{"id":251},[16,1661,1662,1663,261,1665,1667],{},"episki turns the Identify function into an always-on capability. Asset inventories, data classifications, data flow maps, and risk registers are maintained in one place, linked to the NIST CSF subcategories they satisfy and to the corresponding outcomes in ",[257,1664,260],{"href":259},[257,1666,265],{"href":264},", HIPAA, PCI DSS, and CMMC. Integrations pull hardware, software, and cloud asset data directly from the tools that already know. Risk assessments, improvement actions, and lessons-learned loops become tracked workflows rather than documents in a shared drive.",[16,1669,1670,1671,276,1674,1677],{},"Ready to make the NIST CSF Identify function live? ",[257,1672,275],{"href":272,"rel":1673},[274],[257,1675,281],{"href":279,"rel":1676},[274]," and stand up a working NIST CSF Identify profile in days, not quarters.",{"title":284,"searchDepth":285,"depth":285,"links":1679},[1680,1681,1682,1687,1688,1689],{"id":1426,"depth":285,"text":1427},{"id":1442,"depth":285,"text":1443},{"id":1471,"depth":285,"text":1472,"children":1683},[1684,1685,1686],{"id":1528,"depth":291,"text":1529},{"id":1563,"depth":291,"text":1564},{"id":1573,"depth":291,"text":1574},{"id":144,"depth":285,"text":145},{"id":196,"depth":285,"text":197},{"id":251,"depth":285,"text":252},"A complete guide to the NIST CSF Identify function — asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk.",{"items":1692},[1693,1696,1699,1702],{"label":1694,"content":1695},"What is the Identify function in NIST CSF?","The Identify function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is the foundation of a NIST CSF program — you cannot protect, detect, respond to, or recover from threats to assets you do not know you own, and you cannot prioritize risk you have not assessed.",{"label":1697,"content":1698},"How did the Identify function change in NIST CSF 2.0?","NIST CSF 2.0 moved two categories out of Identify and into the new Govern function: Governance (ID.GV) became GV.OC, GV.RR, GV.PO, and GV.OV, and Risk Management Strategy (ID.RM) became GV.RM. Supply Chain Risk Management also moved from ID.SC to GV.SC. Identify retains Asset Management, Business Environment, Risk Assessment, and Improvement outcomes focused on knowing what you own and what is at risk.",{"label":1700,"content":1701},"What is the most important Identify category?","Asset Management (ID.AM) is the foundational Identify category. Without a comprehensive inventory of hardware, software, data, and external systems, every other NIST CSF function operates on guesswork. Most breaches can be traced back to an unknown asset, an unknown account, or an unknown data flow.",{"label":1703,"content":1704},"How often should I update Identify function outputs?","Asset inventories, risk assessments, and data flow maps should be updated continuously for dynamic environments and at minimum annually for stable ones. Mature organizations use automated discovery tooling to keep inventories fresh in near real time and refresh formal risk assessments quarterly or after significant changes.",{},"\u002Fframeworks\u002Fnistcsf\u002Fidentify-function",[634,1410,1708,1411],"data-classification",[325,323,637,326],{"title":1711,"description":1712},"NIST CSF Identify Function (ID): Categories, Subcategories, and Implementation","The NIST CSF Identify function builds the foundation of a cybersecurity program. Learn ID.AM, ID.BE, ID.GV, ID.RA, ID.RM, and ID.SC and how to implement each.","5.frameworks\u002Fnistcsf\u002Fidentify-function","kYLnDboNU4QpQ5Ge-NNMwpovIoBpLMqu6W-XSfOIDns",{"id":1716,"title":1717,"body":1718,"description":2110,"extension":298,"faq":630,"frameworkSlug":313,"lastUpdated":314,"meta":2111,"navigation":316,"path":587,"relatedTerms":2112,"relatedTopics":2113,"seo":2114,"stem":2117,"__hash__":2118},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fimplementation-tiers.md","NIST CSF Implementation Tiers",{"type":8,"value":1719,"toc":2090},[1720,1724,1727,1730,1733,1737,1741,1744,1750,1756,1762,1767,1784,1788,1791,1796,1801,1806,1811,1828,1832,1835,1840,1845,1850,1855,1875,1879,1882,1887,1892,1897,1902,1922,1926,1933,1937,1940,1954,1958,1961,1975,1979,1982,1996,2000,2007,2011,2014,2018,2035,2039,2059,2063,2083],[11,1721,1723],{"id":1722},"what-are-nist-csf-implementation-tiers","What are NIST CSF implementation tiers?",[16,1725,1726],{},"The NIST Cybersecurity Framework (CSF) uses four implementation tiers to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. The tiers range from Partial (Tier 1) to Adaptive (Tier 4) and provide context for how an organization views cybersecurity risk and the processes in place to manage that risk.",[16,1728,1729],{},"Implementation tiers are not maturity levels in the traditional sense. The NIST CSF explicitly states that tiers do not represent maturity, and organizations are not expected to progress to Tier 4 in all areas. Instead, tiers help organizations understand their current approach to cybersecurity risk management and determine whether that approach is appropriate given their threat environment, business requirements, and risk tolerance.",[16,1731,1732],{},"That said, most organizations use the tiers as a practical benchmark for measuring progress and setting improvement goals.",[11,1734,1736],{"id":1735},"the-four-implementation-tiers","The four implementation tiers",[86,1738,1740],{"id":1739},"tier-1-partial","Tier 1 - Partial",[16,1742,1743],{},"At Tier 1, cybersecurity risk management is ad hoc and reactive. The organization has limited awareness of cybersecurity risk and manages it on a case-by-case basis without established processes.",[16,1745,1746,1749],{},[20,1747,1748],{},"Risk management process:"," There is no formalized risk management process. Cybersecurity activities are performed irregularly and in response to specific events rather than proactively. Risk decisions are made without a systematic approach to identifying, assessing, and prioritizing risks.",[16,1751,1752,1755],{},[20,1753,1754],{},"Integrated risk management program:"," Cybersecurity is not integrated into organizational risk management. There is limited awareness at the management level of cybersecurity risks, and cybersecurity activities are not coordinated across the organization. Different departments may implement security controls independently without a unified strategy.",[16,1757,1758,1761],{},[20,1759,1760],{},"External participation:"," The organization does not understand its role in the broader ecosystem. There is little or no collaboration with external entities regarding cybersecurity threats, and the organization does not share or receive threat intelligence.",[16,1763,1764],{},[20,1765,1766],{},"Characteristics of Tier 1 organizations:",[97,1768,1769,1772,1775,1778,1781],{},[100,1770,1771],{},"No documented cybersecurity policies or only outdated ones",[100,1773,1774],{},"Incident response is improvised rather than planned",[100,1776,1777],{},"Asset inventories are incomplete or nonexistent",[100,1779,1780],{},"Security investments are reactive, driven by incidents or audit findings",[100,1782,1783],{},"Little to no awareness of supply chain cybersecurity risks",[86,1785,1787],{"id":1786},"tier-2-risk-informed","Tier 2 - Risk informed",[16,1789,1790],{},"At Tier 2, the organization is aware of cybersecurity risks and has begun to formalize its risk management practices, but implementation is inconsistent and may not extend across the entire organization.",[16,1792,1793,1795],{},[20,1794,1748],{}," Risk management practices are approved by management but may not be established as organization-wide policy. Risk awareness exists, but the processes for identifying and managing risk are not consistently applied. Some risk assessments have been conducted, but they may not be comprehensive or regularly updated.",[16,1797,1798,1800],{},[20,1799,1754],{}," There is some awareness of cybersecurity risk at the organizational level, but it may not be formally communicated or consistently integrated into enterprise-wide risk management. Some coordination exists between departments, but cybersecurity considerations may not factor into all business decisions.",[16,1802,1803,1805],{},[20,1804,1760],{}," The organization understands its role in the broader ecosystem but has not formalized its external engagement. Some informal information sharing may occur, but there is no structured participation in threat intelligence communities or supply chain risk management programs.",[16,1807,1808],{},[20,1809,1810],{},"Characteristics of Tier 2 organizations:",[97,1812,1813,1816,1819,1822,1825],{},[100,1814,1815],{},"Some documented cybersecurity policies exist but are not uniformly enforced",[100,1817,1818],{},"Risk assessments have been performed but may be outdated or incomplete",[100,1820,1821],{},"Incident response plans exist on paper but have not been regularly tested",[100,1823,1824],{},"Security awareness training is conducted but may be infrequent",[100,1826,1827],{},"Some vendor risk assessment processes are in place",[86,1829,1831],{"id":1830},"tier-3-repeatable","Tier 3 - Repeatable",[16,1833,1834],{},"At Tier 3, the organization has formalized its cybersecurity risk management practices into policies that are consistently applied across the organization. Risk management is integrated into organizational processes and regularly updated.",[16,1836,1837,1839],{},[20,1838,1748],{}," Risk management practices are formally approved, documented, and expressed as policy. Policies and procedures are regularly reviewed and updated based on changes to the threat landscape, technology, and business requirements. Risk assessments are conducted regularly and inform cybersecurity priorities and resource allocation.",[16,1841,1842,1844],{},[20,1843,1754],{}," Cybersecurity risk management is integrated into organizational risk management practices. Senior leadership considers cybersecurity risk alongside other business risks. There is organization-wide awareness of cybersecurity policies, and personnel at all levels understand their cybersecurity responsibilities.",[16,1846,1847,1849],{},[20,1848,1760],{}," The organization actively participates in external cybersecurity communities. It receives and acts on threat intelligence from industry groups, government agencies, and information sharing organizations. Supply chain risk management practices are formalized, and the organization understands and manages the cybersecurity risks associated with its third-party relationships.",[16,1851,1852],{},[20,1853,1854],{},"Characteristics of Tier 3 organizations:",[97,1856,1857,1860,1863,1866,1869,1872],{},[100,1858,1859],{},"Comprehensive, documented cybersecurity policies consistently enforced",[100,1861,1862],{},"Regular risk assessments that inform budgeting and prioritization",[100,1864,1865],{},"Tested incident response plans with defined roles and playbooks",[100,1867,1868],{},"Continuous security monitoring with SIEM and alerting capabilities",[100,1870,1871],{},"Formal vendor risk management programs",[100,1873,1874],{},"Regular reporting of cybersecurity posture to executive leadership",[86,1876,1878],{"id":1877},"tier-4-adaptive","Tier 4 - Adaptive",[16,1880,1881],{},"At Tier 4, the organization adapts its cybersecurity practices based on lessons learned and predictive indicators. Cybersecurity risk management is a core part of organizational culture and decision-making.",[16,1883,1884,1886],{},[20,1885,1748],{}," The organization continuously adapts its cybersecurity practices based on real-time threat intelligence, lessons learned from incidents, and predictive analytics. Risk management is dynamic and responds to changes in the threat environment proactively rather than reactively. Technologies and processes are continuously evaluated and improved.",[16,1888,1889,1891],{},[20,1890,1754],{}," Cybersecurity risk management is fully integrated into organizational culture. There is a clear understanding of risk tolerance, and cybersecurity considerations are embedded in all business decisions, from strategic planning to daily operations. Budget allocation reflects a risk-informed approach with flexibility to address emerging threats.",[16,1893,1894,1896],{},[20,1895,1760],{}," The organization actively contributes to the broader cybersecurity ecosystem. It shares threat intelligence, participates in industry working groups, and collaborates with partners and peers to improve collective security. Supply chain risk management is advanced, with continuous monitoring of third-party security postures.",[16,1898,1899],{},[20,1900,1901],{},"Characteristics of Tier 4 organizations:",[97,1903,1904,1907,1910,1913,1916,1919],{},[100,1905,1906],{},"Cybersecurity practices evolve based on threat intelligence and lessons learned",[100,1908,1909],{},"Automated, continuous monitoring with advanced analytics and anomaly detection",[100,1911,1912],{},"Mature incident response with regular exercises including tabletop and red team operations",[100,1914,1915],{},"Cybersecurity metrics tracked and reported to the board regularly",[100,1917,1918],{},"Active participation in ISACs and information sharing communities",[100,1920,1921],{},"Predictive capabilities that anticipate emerging threats",[11,1923,1925],{"id":1924},"assessing-your-current-tier","Assessing your current tier",[16,1927,1928,1929,1932],{},"Assessing your implementation tier requires honest evaluation across three dimensions for each of the ",[257,1930,1931],{"href":632},"five core functions",":",[86,1934,1936],{"id":1935},"step-1-evaluate-risk-management-processes","Step 1 - Evaluate risk management processes",[16,1938,1939],{},"Examine whether your cybersecurity risk management processes are documented, approved by leadership, consistently applied, and regularly updated. Consider the following questions:",[97,1941,1942,1945,1948,1951],{},[100,1943,1944],{},"Do you have a formal risk management framework?",[100,1946,1947],{},"Are risk assessments conducted regularly and used to inform security decisions?",[100,1949,1950],{},"Is there a defined risk tolerance that guides control selection?",[100,1952,1953],{},"Are risk management processes reviewed and updated when the threat landscape changes?",[86,1955,1957],{"id":1956},"step-2-assess-integration-with-organizational-risk-management","Step 2 - Assess integration with organizational risk management",[16,1959,1960],{},"Determine how deeply cybersecurity is embedded in overall business risk management:",[97,1962,1963,1966,1969,1972],{},[100,1964,1965],{},"Does executive leadership receive regular cybersecurity risk briefings?",[100,1967,1968],{},"Are cybersecurity considerations factored into business decisions such as new product launches, acquisitions, and vendor selections?",[100,1970,1971],{},"Is cybersecurity funding aligned with identified risks?",[100,1973,1974],{},"Do all departments understand their cybersecurity responsibilities?",[86,1976,1978],{"id":1977},"step-3-evaluate-external-participation","Step 3 - Evaluate external participation",[16,1980,1981],{},"Assess your engagement with the broader cybersecurity community:",[97,1983,1984,1987,1990,1993],{},[100,1985,1986],{},"Do you receive threat intelligence from industry groups or government sources?",[100,1988,1989],{},"Do you share threat information with peers?",[100,1991,1992],{},"Is supply chain cybersecurity risk formally managed?",[100,1994,1995],{},"Do you participate in sector-specific cybersecurity initiatives?",[86,1997,1999],{"id":1998},"step-4-build-a-tier-assessment-matrix","Step 4 - Build a tier assessment matrix",[16,2001,2002,2003,2006],{},"For each core function (Identify, Protect, Detect, Respond, Recover), rate your organization across the three dimensions. You may be at different tiers for different functions, which is normal. Use this matrix to build a ",[257,2004,2005],{"href":592},"framework profile"," that captures your current state and defines your target state.",[11,2008,2010],{"id":2009},"progressing-to-higher-tiers","Progressing to higher tiers",[16,2012,2013],{},"Tier progression should be driven by business need and risk tolerance, not by a desire to achieve the highest possible tier. For many organizations, Tier 3 represents an appropriate target that balances security maturity with resource investment.",[86,2015,2017],{"id":2016},"moving-from-tier-1-to-tier-2","Moving from Tier 1 to Tier 2",[97,2019,2020,2023,2026,2029,2032],{},[100,2021,2022],{},"Document your current cybersecurity policies, even if they are informal",[100,2024,2025],{},"Conduct an initial risk assessment to identify the most critical gaps",[100,2027,2028],{},"Establish basic asset management practices",[100,2030,2031],{},"Create an incident response plan, even a simple one",[100,2033,2034],{},"Begin security awareness training for all employees",[86,2036,2038],{"id":2037},"moving-from-tier-2-to-tier-3","Moving from Tier 2 to Tier 3",[97,2040,2041,2044,2047,2050,2053,2056],{},[100,2042,2043],{},"Formalize policies into organization-wide standards",[100,2045,2046],{},"Implement continuous security monitoring (SIEM, EDR, vulnerability scanning)",[100,2048,2049],{},"Integrate cybersecurity risk into enterprise risk management",[100,2051,2052],{},"Establish a formal vendor risk management program",[100,2054,2055],{},"Conduct regular tabletop exercises for incident response",[100,2057,2058],{},"Report cybersecurity metrics to executive leadership",[86,2060,2062],{"id":2061},"moving-from-tier-3-to-tier-4","Moving from Tier 3 to Tier 4",[97,2064,2065,2068,2071,2074,2077,2080],{},[100,2066,2067],{},"Implement advanced threat detection with behavioral analytics",[100,2069,2070],{},"Develop predictive capabilities based on threat intelligence",[100,2072,2073],{},"Conduct red team exercises and adversary emulation",[100,2075,2076],{},"Actively contribute to information sharing communities",[100,2078,2079],{},"Continuously optimize security controls based on performance metrics",[100,2081,2082],{},"Embed cybersecurity decision-making into all business processes",[16,2084,2085,2086,2089],{},"The NIST CSF implementation tiers provide a useful vocabulary for communicating cybersecurity maturity internally and externally. They also ",[257,2087,2088],{"href":597},"map effectively to other frameworks",", helping organizations that must meet multiple compliance requirements understand how maturity investments in one area benefit their overall posture.",{"title":284,"searchDepth":285,"depth":285,"links":2091},[2092,2093,2099,2105],{"id":1722,"depth":285,"text":1723},{"id":1735,"depth":285,"text":1736,"children":2094},[2095,2096,2097,2098],{"id":1739,"depth":291,"text":1740},{"id":1786,"depth":291,"text":1787},{"id":1830,"depth":291,"text":1831},{"id":1877,"depth":291,"text":1878},{"id":1924,"depth":285,"text":1925,"children":2100},[2101,2102,2103,2104],{"id":1935,"depth":291,"text":1936},{"id":1956,"depth":291,"text":1957},{"id":1977,"depth":291,"text":1978},{"id":1998,"depth":291,"text":1999},{"id":2009,"depth":285,"text":2010,"children":2106},[2107,2108,2109],{"id":2016,"depth":291,"text":2017},{"id":2037,"depth":291,"text":2038},{"id":2061,"depth":291,"text":2062},"A guide to the four NIST CSF implementation tiers, how to assess your current tier, and strategies for progressing to higher tiers.",{},[634],[1095,326,1096],{"title":2115,"description":2116},"NIST CSF Implementation Tiers - Tier 1 to 4 Assessment Guide","Learn the four NIST CSF implementation tiers from Partial to Adaptive. Assess your current cybersecurity maturity and plan your progression path.","5.frameworks\u002Fnistcsf\u002Fimplementation-tiers","_VG0Ohos-g1KhmjjwxcVs_9ndSoy55Ql4zzl54FuTis",{"id":2120,"title":2121,"body":2122,"description":2560,"extension":298,"faq":630,"frameworkSlug":313,"lastUpdated":314,"meta":2561,"navigation":316,"path":597,"relatedTerms":2562,"relatedTopics":2567,"seo":2568,"stem":2571,"__hash__":2572},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fmapping-to-other-frameworks.md","Mapping NIST CSF to Other Frameworks",{"type":8,"value":2123,"toc":2534},[2124,2128,2131,2137,2141,2144,2148,2153,2164,2169,2180,2185,2193,2198,2206,2211,2216,2220,2226,2230,2233,2236,2241,2252,2257,2268,2273,2281,2286,2294,2299,2304,2307,2310,2314,2317,2320,2325,2336,2341,2352,2357,2362,2367,2375,2380,2385,2388,2391,2395,2404,2407,2412,2423,2428,2439,2444,2452,2457,2462,2467,2472,2475,2481,2485,2488,2492,2495,2499,2502,2506,2509,2513,2520,2524,2531],[11,2125,2127],{"id":2126},"why-framework-mapping-matters","Why framework mapping matters",[16,2129,2130],{},"Most organizations do not operate under a single compliance framework. A healthcare company processing payments may need to comply with HIPAA, PCI DSS, and SOC 2 simultaneously. A financial services firm may face ISO 27001 certification requirements alongside SOC 2 and PCI DSS. Without a structured approach to managing overlapping requirements, organizations end up duplicating effort, maintaining separate evidence repositories, and fatiguing both their security teams and their auditors.",[16,2132,2133,2134,2136],{},"The NIST Cybersecurity Framework serves as an effective common denominator for multi-framework compliance. Its broad scope, voluntary nature, and risk-based approach make it a natural organizing structure. By mapping other frameworks to the NIST CSF's ",[257,2135,1931],{"href":632}," and their categories, organizations can implement controls once and demonstrate compliance across multiple standards.",[11,2138,2140],{"id":2139},"nist-csf-to-soc-2","NIST CSF to SOC 2",[16,2142,2143],{},"SOC 2 is built around five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security criterion (also known as the Common Criteria) is required for all SOC 2 reports, while the other four are optional based on the services provided.",[86,2145,2147],{"id":2146},"key-mappings","Key mappings",[16,2149,2150],{},[20,2151,2152],{},"Identify function to SOC 2:",[97,2154,2155,2158,2161],{},[100,2156,2157],{},"Asset management (ID.AM) maps to CC6.1 (logical and physical access controls) and CC6.6 (boundary protection)",[100,2159,2160],{},"Risk assessment (ID.RA) maps to CC3.1 through CC3.4 (risk assessment criteria)",[100,2162,2163],{},"Governance (ID.GV) maps to CC1.1 through CC1.5 (control environment)",[16,2165,2166],{},[20,2167,2168],{},"Protect function to SOC 2:",[97,2170,2171,2174,2177],{},[100,2172,2173],{},"Access control (PR.AC) maps directly to CC6.1 through CC6.8 (logical and physical access)",[100,2175,2176],{},"Data security (PR.DS) maps to CC6.1 (encryption), CC6.7 (data transmission), and C1.1-C1.2 (Confidentiality criteria)",[100,2178,2179],{},"Awareness and training (PR.AT) maps to CC1.4 (competence and accountability)",[16,2181,2182],{},[20,2183,2184],{},"Detect function to SOC 2:",[97,2186,2187,2190],{},[100,2188,2189],{},"Security continuous monitoring (DE.CM) maps to CC7.1 through CC7.3 (system monitoring and incident detection)",[100,2191,2192],{},"Anomalies and events (DE.AE) maps to CC7.2 (monitoring for anomalies)",[16,2194,2195],{},[20,2196,2197],{},"Respond function to SOC 2:",[97,2199,2200,2203],{},[100,2201,2202],{},"Response planning and mitigation (RS.RP, RS.MI) map to CC7.3 through CC7.5 (incident response and recovery)",[100,2204,2205],{},"Communications (RS.CO) maps to CC2.2 and CC2.3 (internal and external communications)",[16,2207,2208],{},[20,2209,2210],{},"Recover function to SOC 2:",[97,2212,2213],{},[100,2214,2215],{},"Recovery planning (RC.RP) maps to CC7.5 (recovery activities) and A1.2-A1.3 (Availability criteria)",[86,2217,2219],{"id":2218},"practical-considerations","Practical considerations",[16,2221,2222,2223,2225],{},"SOC 2 is principles-based rather than prescriptive, giving organizations flexibility in how they meet each criterion. Organizations that have built their ",[257,2224,593],{"href":592}," around the NIST CSF can map their existing controls directly to SOC 2 criteria with minimal additional effort. The main gap is typically in the Privacy and Processing Integrity criteria, which have limited direct mapping to NIST CSF subcategories.",[11,2227,2229],{"id":2228},"nist-csf-to-iso-27001","NIST CSF to ISO 27001",[16,2231,2232],{},"ISO 27001 is an international standard for information security management systems (ISMS). It requires organizations to establish, implement, maintain, and continually improve an ISMS. The standard includes 93 controls organized across four themes in the 2022 revision (organizational, people, physical, and technological).",[86,2234,2147],{"id":2235},"key-mappings-1",[16,2237,2238],{},[20,2239,2240],{},"Identify function to ISO 27001:",[97,2242,2243,2246,2249],{},[100,2244,2245],{},"Asset management (ID.AM) maps to A.5 (Information security policies) and A.8 (Asset management controls in ISO 27001:2022)",[100,2247,2248],{},"Risk assessment (ID.RA) maps directly to clauses 6.1.2 and 8.2 (risk assessment process), which is the core of ISO 27001",[100,2250,2251],{},"Governance (ID.GV) maps to clauses 5.1 through 5.3 (leadership and commitment)",[16,2253,2254],{},[20,2255,2256],{},"Protect function to ISO 27001:",[97,2258,2259,2262,2265],{},[100,2260,2261],{},"Access control (PR.AC) maps to A.8.2 through A.8.5 (access control theme)",[100,2263,2264],{},"Data security (PR.DS) maps to A.8.10 through A.8.12 (data protection controls)",[100,2266,2267],{},"Awareness and training (PR.AT) maps to A.6.3 (information security awareness and training)",[16,2269,2270],{},[20,2271,2272],{},"Detect function to ISO 27001:",[97,2274,2275,2278],{},[100,2276,2277],{},"Security continuous monitoring (DE.CM) maps to A.8.15 (logging) and A.8.16 (monitoring activities)",[100,2279,2280],{},"Detection processes (DE.DP) maps to clause 9.1 (monitoring, measurement, analysis, and evaluation)",[16,2282,2283],{},[20,2284,2285],{},"Respond function to ISO 27001:",[97,2287,2288,2291],{},[100,2289,2290],{},"Response planning (RS.RP) maps to A.5.24 through A.5.28 (incident management)",[100,2292,2293],{},"Analysis (RS.AN) maps to A.5.27 (learning from information security incidents)",[16,2295,2296],{},[20,2297,2298],{},"Recover function to ISO 27001:",[97,2300,2301],{},[100,2302,2303],{},"Recovery planning (RC.RP) maps to A.5.29 and A.5.30 (ICT readiness for business continuity)",[86,2305,2219],{"id":2306},"practical-considerations-1",[16,2308,2309],{},"ISO 27001 and the NIST CSF share strong conceptual alignment. Both emphasize risk-based approaches, continuous improvement, and management engagement. Organizations pursuing ISO 27001 certification that already have NIST CSF profiles will find that much of the groundwork for the ISMS has already been completed. The primary additional effort for ISO 27001 involves establishing the formal management system structure (clauses 4 through 10) and conducting the required management reviews and internal audits.",[11,2311,2313],{"id":2312},"nist-csf-to-hipaa","NIST CSF to HIPAA",[16,2315,2316],{},"HIPAA's Security Rule establishes requirements for protecting electronic protected health information (ePHI). It is organized into Administrative, Physical, and Technical Safeguards.",[86,2318,2147],{"id":2319},"key-mappings-2",[16,2321,2322],{},[20,2323,2324],{},"Identify function to HIPAA:",[97,2326,2327,2330,2333],{},[100,2328,2329],{},"Risk assessment (ID.RA) maps directly to the HIPAA Security Rule requirement for risk analysis (45 CFR 164.308(a)(1)(ii)(A))",[100,2331,2332],{},"Asset management (ID.AM) maps to device and media controls (45 CFR 164.310(d))",[100,2334,2335],{},"Governance (ID.GV) maps to assigned security responsibility (45 CFR 164.308(a)(2))",[16,2337,2338],{},[20,2339,2340],{},"Protect function to HIPAA:",[97,2342,2343,2346,2349],{},[100,2344,2345],{},"Access control (PR.AC) maps to access controls (45 CFR 164.312(a)) and facility access controls (45 CFR 164.310(a))",[100,2347,2348],{},"Awareness and training (PR.AT) maps to security awareness and training (45 CFR 164.308(a)(5))",[100,2350,2351],{},"Data security (PR.DS) maps to transmission security (45 CFR 164.312(e)) and integrity controls (45 CFR 164.312(c))",[16,2353,2354],{},[20,2355,2356],{},"Detect function to HIPAA:",[97,2358,2359],{},[100,2360,2361],{},"Security continuous monitoring (DE.CM) maps to audit controls (45 CFR 164.312(b)) and information system activity review (45 CFR 164.308(a)(1)(ii)(D))",[16,2363,2364],{},[20,2365,2366],{},"Respond function to HIPAA:",[97,2368,2369,2372],{},[100,2370,2371],{},"Response planning (RS.RP) maps to security incident procedures (45 CFR 164.308(a)(6))",[100,2373,2374],{},"Communications (RS.CO) maps to breach notification requirements (45 CFR 164.400-414)",[16,2376,2377],{},[20,2378,2379],{},"Recover function to HIPAA:",[97,2381,2382],{},[100,2383,2384],{},"Recovery planning (RC.RP) maps to contingency plan (45 CFR 164.308(a)(7)) including data backup, disaster recovery, and emergency mode operations",[86,2386,2219],{"id":2387},"practical-considerations-2",[16,2389,2390],{},"HIPAA is less prescriptive than PCI DSS or ISO 27001, using terms like \"reasonable and appropriate\" to describe required safeguards. This flexibility means organizations must use their risk analysis to determine the specificity of controls, which aligns well with the NIST CSF's risk-based approach. HHS has published a crosswalk between the HIPAA Security Rule and the NIST CSF that provides detailed subcategory-level mappings.",[11,2392,2394],{"id":2393},"nist-csf-to-pci-dss","NIST CSF to PCI DSS",[16,2396,2397,2399,2400,282],{},[257,2398,603],{"href":602}," is the most prescriptive of the frameworks discussed here, with specific technical requirements and testing procedures for each of its ",[257,2401,2403],{"href":2402},"\u002Fframeworks\u002Fpci\u002Frequirements","12 requirements",[86,2405,2147],{"id":2406},"key-mappings-3",[16,2408,2409],{},[20,2410,2411],{},"Identify function to PCI DSS:",[97,2413,2414,2417,2420],{},[100,2415,2416],{},"Asset management (ID.AM) maps to Requirement 2 (system inventory and configuration management) and Requirement 12 (information security policy)",[100,2418,2419],{},"Risk assessment (ID.RA) maps to Requirement 12.3 (risk assessment)",[100,2421,2422],{},"Supply chain risk management (ID.SC) maps to Requirement 12.8 (third-party service provider management)",[16,2424,2425],{},[20,2426,2427],{},"Protect function to PCI DSS:",[97,2429,2430,2433,2436],{},[100,2431,2432],{},"Access control (PR.AC) maps to Requirements 7, 8, and 9 (access control, authentication, physical security)",[100,2434,2435],{},"Data security (PR.DS) maps to Requirements 3 and 4 (stored data protection and transmission encryption)",[100,2437,2438],{},"Protective technology (PR.PT) maps to Requirements 1 and 5 (network security controls and anti-malware)",[16,2440,2441],{},[20,2442,2443],{},"Detect function to PCI DSS:",[97,2445,2446,2449],{},[100,2447,2448],{},"Security continuous monitoring (DE.CM) maps to Requirement 10 (logging and monitoring) and Requirement 11 (vulnerability scanning and IDS\u002FIPS)",[100,2450,2451],{},"Anomalies and events (DE.AE) maps to Requirement 10.4 (audit log review)",[16,2453,2454],{},[20,2455,2456],{},"Respond function to PCI DSS:",[97,2458,2459],{},[100,2460,2461],{},"Response planning (RS.RP) maps to Requirement 12.10 (incident response plan)",[16,2463,2464],{},[20,2465,2466],{},"Recover function to PCI DSS:",[97,2468,2469],{},[100,2470,2471],{},"Recovery planning (RC.RP) maps to Requirement 12.10.2 (recovery procedures within the incident response plan)",[86,2473,2219],{"id":2474},"practical-considerations-3",[16,2476,2477,2478,2480],{},"PCI DSS controls are more specific than NIST CSF subcategories, meaning a single PCI DSS requirement may address multiple NIST CSF subcategories or vice versa. Organizations that use the NIST CSF as their primary framework will need to supplement their profiles with PCI DSS-specific technical controls. However, the NIST CSF provides the risk management and governance structure that supports a sustainable ",[257,2479,851],{"href":602}," program.",[11,2482,2484],{"id":2483},"building-a-unified-control-framework","Building a unified control framework",[16,2486,2487],{},"To operationalize framework mapping effectively:",[86,2489,2491],{"id":2490},"create-a-control-matrix","Create a control matrix",[16,2493,2494],{},"Build a master control matrix that lists each control once and maps it to every applicable framework requirement. This eliminates duplicate controls and ensures that evidence collected for one audit can be reused for others.",[86,2496,2498],{"id":2497},"centralize-evidence-collection","Centralize evidence collection",[16,2500,2501],{},"Implement a single repository for compliance evidence. When you collect evidence for a NIST CSF subcategory, tag it with the corresponding SOC 2 criteria, ISO 27001 controls, HIPAA safeguards, and PCI DSS requirements. This dramatically reduces evidence collection effort during audit season.",[86,2503,2505],{"id":2504},"harmonize-assessment-schedules","Harmonize assessment schedules",[16,2507,2508],{},"Align your internal assessments and external audits to minimize disruption. If your SOC 2 audit occurs in Q1 and your PCI DSS assessment in Q3, schedule internal control testing to feed both assessments rather than running separate testing cycles.",[86,2510,2512],{"id":2511},"use-nist-csf-as-the-organizing-layer","Use NIST CSF as the organizing layer",[16,2514,2515,2516,2519],{},"The NIST CSF's ",[257,2517,2518],{"href":632},"five functions"," provide an intuitive organizing structure that stakeholders across the business can understand. Technical teams work at the subcategory level, mapping specific controls to framework requirements. Executives receive reporting at the function level, understanding the organization's posture across Identify, Protect, Detect, Respond, and Recover. This layered communication approach works because the NIST CSF was designed for exactly this purpose.",[86,2521,2523],{"id":2522},"leverage-implementation-tiers-for-maturity-tracking","Leverage implementation tiers for maturity tracking",[16,2525,2526,2527,2530],{},"Use ",[257,2528,2529],{"href":587},"NIST CSF implementation tiers"," to track maturity across all mapped frameworks. As you progress from Tier 2 to Tier 3, the systematic policy-driven approach benefits every framework simultaneously. This is more efficient than tracking maturity separately for each compliance requirement.",[16,2532,2533],{},"Framework mapping is not a one-time project. As frameworks are updated (NIST CSF 2.0, PCI DSS v4.0, ISO 27001:2022), mappings must be refreshed to reflect new requirements and structural changes. Maintaining current mappings ensures that your unified control framework remains accurate and continues to reduce compliance overhead.",{"title":284,"searchDepth":285,"depth":285,"links":2535},[2536,2537,2541,2545,2549,2553],{"id":2126,"depth":285,"text":2127},{"id":2139,"depth":285,"text":2140,"children":2538},[2539,2540],{"id":2146,"depth":291,"text":2147},{"id":2218,"depth":291,"text":2219},{"id":2228,"depth":285,"text":2229,"children":2542},[2543,2544],{"id":2235,"depth":291,"text":2147},{"id":2306,"depth":291,"text":2219},{"id":2312,"depth":285,"text":2313,"children":2546},[2547,2548],{"id":2319,"depth":291,"text":2147},{"id":2387,"depth":291,"text":2219},{"id":2393,"depth":285,"text":2394,"children":2550},[2551,2552],{"id":2406,"depth":291,"text":2147},{"id":2474,"depth":291,"text":2219},{"id":2483,"depth":285,"text":2484,"children":2554},[2555,2556,2557,2558,2559],{"id":2490,"depth":291,"text":2491},{"id":2497,"depth":291,"text":2498},{"id":2504,"depth":291,"text":2505},{"id":2511,"depth":291,"text":2512},{"id":2522,"depth":291,"text":2523},"How the NIST Cybersecurity Framework maps to SOC 2, ISO 27001, HIPAA, and PCI DSS, enabling efficient multi-framework compliance.",{},[634,2563,2564,2565,2566],"soc2","iso27001","hipaa","pci-dss",[1095,326,636],{"title":2569,"description":2570},"Mapping NIST CSF to SOC 2, ISO 27001, HIPAA, and PCI DSS","Learn how NIST CSF maps to SOC 2, ISO 27001, HIPAA, and PCI DSS. Reduce audit fatigue with unified controls across multiple compliance frameworks.","5.frameworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","PyHbyZtZIxNF1Nlz-mfVBFbQQE0BWZaGSpteiuaRN8o",{"id":2574,"title":2575,"body":2576,"description":2837,"extension":298,"faq":2838,"frameworkSlug":313,"lastUpdated":314,"meta":2852,"navigation":316,"path":2853,"relatedTerms":2854,"relatedTopics":2859,"seo":2861,"stem":2864,"__hash__":2865},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fprotect-function.md","NIST CSF Protect Function",{"type":8,"value":2577,"toc":2823},[2578,2582,2588,2591,2595,2598,2601,2670,2674,2677,2680,2684,2687,2691,2694,2698,2701,2705,2708,2710,2713,2751,2753,2756,2794,2798,2801,2804,2806,2814],[11,2579,2581],{"id":2580},"what-is-the-nist-csf-protect-function","What is the NIST CSF Protect function?",[16,2583,18,2584,2587],{},[20,2585,2586],{},"Protect (PR) function"," implements the safeguards that ensure delivery of critical services and that limit or contain the impact of cybersecurity events. If Identify is the map and Govern is the strategy, Protect is where the majority of day-to-day cybersecurity engineering work happens. Firewalls, identity providers, endpoint agents, encryption, access reviews, secure configuration baselines, awareness training — almost every tangible cybersecurity control lives somewhere inside Protect.",[16,2589,2590],{},"Protect is also the function most at risk of becoming a tool-buying exercise. Organizations that skip straight from \"we need to do cybersecurity\" to \"let's buy an EDR\" typically end up with a large tool stack and thin outcomes. The discipline of the NIST Cybersecurity Framework is that every Protect control should map back to an outcome described in an Identify-driven risk assessment and a Govern-driven risk strategy. Protect earns its place not by the number of tools deployed but by the reduction in residual risk it delivers.",[11,2592,2594],{"id":2593},"how-protect-changed-in-nist-csf-20","How Protect changed in NIST CSF 2.0",[16,2596,2597],{},"NIST CSF 2.0 streamlined the Protect function. NIST CSF 1.1 contained six Protect categories: Identity Management, Authentication, and Access Control (PR.AC), Awareness and Training (PR.AT), Data Security (PR.DS), Information Protection Processes and Procedures (PR.IP), Maintenance (PR.MA), and Protective Technology (PR.PT). Several of these overlapped, and practitioners often had trouble deciding where specific controls belonged.",[16,2599,2600],{},"NIST CSF 2.0 reorganized Protect into five cleaner categories:",[38,2602,2603,2613],{},[41,2604,2605],{},[44,2606,2607,2609,2611],{},[47,2608,49],{},[47,2610,52],{},[47,2612,55],{},[57,2614,2615,2626,2637,2648,2659],{},[44,2616,2617,2620,2623],{},[62,2618,2619],{},"Identity Management, Authentication, and Access Control",[62,2621,2622],{},"PR.AA",[62,2624,2625],{},"Identity lifecycle, authentication, authorization, and least privilege",[44,2627,2628,2631,2634],{},[62,2629,2630],{},"Awareness and Training",[62,2632,2633],{},"PR.AT",[62,2635,2636],{},"Security-relevant awareness and role-based training",[44,2638,2639,2642,2645],{},[62,2640,2641],{},"Data Security",[62,2643,2644],{},"PR.DS",[62,2646,2647],{},"Confidentiality, integrity, and availability of data at rest, in transit, and in use",[44,2649,2650,2653,2656],{},[62,2651,2652],{},"Platform Security",[62,2654,2655],{},"PR.PS",[62,2657,2658],{},"Hardening, configuration, patching, and secure software supply chain of platforms",[44,2660,2661,2664,2667],{},[62,2662,2663],{},"Technology Infrastructure Resilience",[62,2665,2666],{},"PR.IR",[62,2668,2669],{},"Network, environmental, and infrastructure resilience against disruption",[86,2671,2673],{"id":2672},"identity-management-authentication-and-access-control-praa","Identity Management, Authentication, and Access Control (PR.AA)",[16,2675,2676],{},"PR.AA is where most of the security world's attention belongs. It covers the entire identity lifecycle — provisioning, authentication, authorization, re-certification, and deprovisioning — for users, services, and devices. Key PR.AA outcomes include multi-factor authentication on all remote and privileged access, least-privilege access controls, privileged access management with just-in-time elevation, access reviews at a defined cadence, and robust deprovisioning when employees leave.",[16,2678,2679],{},"Well-executed PR.AA is the single most impactful thing most organizations can do. Nearly every major breach of the last five years involved identity — credential theft, session hijacking, OAuth abuse, MFA fatigue, or a dormant account that should have been disabled.",[86,2681,2683],{"id":2682},"awareness-and-training-prat","Awareness and Training (PR.AT)",[16,2685,2686],{},"PR.AT covers cybersecurity awareness for all personnel and role-specific training for those with elevated responsibilities. General-purpose phishing awareness is table stakes; role-based training for developers, administrators, finance staff, and executives is where PR.AT delivers disproportionate value. Mature programs also train the board and senior leadership, because many of the Govern function's oversight obligations depend on leadership being literate in cybersecurity risk.",[86,2688,2690],{"id":2689},"data-security-prds","Data Security (PR.DS)",[16,2692,2693],{},"PR.DS protects the confidentiality, integrity, and availability of data across its lifecycle. It covers encryption at rest and in transit, key management, data loss prevention, integrity monitoring, data minimization, and secure data disposal. PR.DS outcomes should track the data classifications established in the Identify function — the most sensitive data warrants the strongest controls.",[86,2695,2697],{"id":2696},"platform-security-prps","Platform Security (PR.PS)",[16,2699,2700],{},"PR.PS consolidates several NIST CSF 1.1 categories into a unified focus on the platforms that run the organization's software: servers, endpoints, mobile devices, containers, cloud services, and the software supply chain. PR.PS covers secure configuration baselines, hardening, patching and vulnerability remediation, change management, and the integrity of the software supply chain from build through deployment.",[86,2702,2704],{"id":2703},"technology-infrastructure-resilience-prir","Technology Infrastructure Resilience (PR.IR)",[16,2706,2707],{},"PR.IR covers the resilience of the underlying infrastructure — networks, environmental controls, and the physical and virtual facilities that host the organization's systems. Network segmentation, redundancy, fail-over architectures, and environmental protections (power, cooling, physical access) all live here. PR.IR partially overlaps with the Recover function but focuses on the preventive side: building infrastructure that resists disruption in the first place.",[11,2709,145],{"id":144},[16,2711,2712],{},"A pragmatic sequence for standing up the Protect function:",[150,2714,2715,2721,2727,2733,2739,2745],{},[100,2716,2717,2720],{},[20,2718,2719],{},"Lock down identity first."," Enforce MFA everywhere it is possible, implement SSO, tier administrative accounts, and commit to quarterly access reviews. These PR.AA basics eliminate the majority of common attack paths.",[100,2722,2723,2726],{},[20,2724,2725],{},"Encrypt by default."," Encryption at rest for storage, TLS for data in transit, and managed key rotation. Tie key management to the Identify function's data classification so that the most sensitive data receives the strongest protection.",[100,2728,2729,2732],{},[20,2730,2731],{},"Establish configuration baselines."," Pick a standard (CIS Benchmarks, DISA STIGs, or a cloud provider's security baseline) and measure drift continuously.",[100,2734,2735,2738],{},[20,2736,2737],{},"Automate patching and vulnerability management."," The goal is not zero vulnerabilities; it is a short mean-time-to-remediate for the vulnerabilities that matter most.",[100,2740,2741,2744],{},[20,2742,2743],{},"Build a real awareness program."," Phishing simulations, role-based training, and annual certification. Metrics that matter: phishing click rate over time, training completion, reported suspicious emails.",[100,2746,2747,2750],{},[20,2748,2749],{},"Segment the network."," Flat networks are where ransomware thrives. Basic segmentation between workstations, servers, and operational technology dramatically reduces blast radius.",[11,2752,197],{"id":196},[16,2754,2755],{},"Protect programs commonly hit these walls:",[97,2757,2758,2764,2770,2776,2782,2788],{},[100,2759,2760,2763],{},[20,2761,2762],{},"Tool sprawl without outcome improvement."," Buying more tools does not automatically improve Protect maturity. Every tool should map to a specific NIST CSF subcategory and a measurable outcome.",[100,2765,2766,2769],{},[20,2767,2768],{},"MFA exceptions that swallow the benefit."," \"Emergency\" accounts, service accounts, and legacy applications without MFA undo most of the value of PR.AA. Track and retire these exceptions aggressively.",[100,2771,2772,2775],{},[20,2773,2774],{},"Stale access rights."," Access reviews that are performed but not acted on (access is never actually revoked) are a common audit finding. Build tooling that makes revocation the default.",[100,2777,2778,2781],{},[20,2779,2780],{},"Configuration drift."," Baselines that are set once and never re-measured drift within weeks. Continuous configuration monitoring is table stakes in modern Protect programs.",[100,2783,2784,2787],{},[20,2785,2786],{},"Training that nobody respects."," Hour-long cringe-worthy training videos fail both the compliance and the behavior-change test. Short, relevant, role-based training beats annual endurance tests.",[100,2789,2790,2793],{},[20,2791,2792],{},"Unclear ownership."," Protect controls commonly span IT, security, platform engineering, and product teams. Without clear ownership (set in the Govern function's GV.RR), controls fall through the cracks.",[11,2795,2797],{"id":2796},"measuring-protect-outcomes","Measuring Protect outcomes",[16,2799,2800],{},"The Protect function is the NIST CSF function with the widest gap between compliance reporting and real security outcomes. Compliance-first Protect programs optimize for \"controls in place.\" Outcome-first Protect programs optimize for metrics that reflect actual risk reduction: MFA coverage as a percentage of authentications, mean time to patch critical vulnerabilities, percentage of privileged access granted just in time rather than standing, phishing reporting rate, encryption coverage of sensitive data, and baseline compliance drift over time. These metrics should be reported to the Govern function's oversight process so leadership can tell whether Protect investments are actually moving the dial.",[16,2802,2803],{},"Mature NIST CSF Protect programs also test their safeguards continuously. Red-team exercises, penetration tests, breach-and-attack-simulation tooling, and purple-team collaboration all validate that Protect controls behave as expected under adversary conditions. Controls that look strong on paper and fail under realistic pressure are a common failure mode that only testing exposes.",[11,2805,252],{"id":251},[16,2807,2808,2809,261,2811,2813],{},"episki maps every Protect subcategory to concrete controls, evidence collection, and the owning team — then keeps that mapping live through integrations with your identity provider, endpoint management tooling, vulnerability scanners, and cloud providers. MFA coverage, access review completion, patch SLAs, and baseline drift all become real-time metrics on an executive dashboard. Controls that satisfy the NIST CSF Protect function are automatically mapped to the corresponding ",[257,2810,260],{"href":259},[257,2812,265],{"href":264},", HIPAA, PCI DSS, and CMMC requirements, so the same evidence satisfies multiple frameworks.",[16,2815,2816,2817,276,2820,282],{},"Ready to operate the NIST CSF Protect function instead of just documenting it? ",[257,2818,275],{"href":272,"rel":2819},[274],[257,2821,281],{"href":279,"rel":2822},[274],{"title":284,"searchDepth":285,"depth":285,"links":2824},[2825,2826,2833,2834,2835,2836],{"id":2580,"depth":285,"text":2581},{"id":2593,"depth":285,"text":2594,"children":2827},[2828,2829,2830,2831,2832],{"id":2672,"depth":291,"text":2673},{"id":2682,"depth":291,"text":2683},{"id":2689,"depth":291,"text":2690},{"id":2696,"depth":291,"text":2697},{"id":2703,"depth":291,"text":2704},{"id":144,"depth":285,"text":145},{"id":196,"depth":285,"text":197},{"id":2796,"depth":285,"text":2797},{"id":251,"depth":285,"text":252},"A complete guide to the NIST CSF Protect function — identity and access, awareness and training, data security, platform security, and technology infrastructure resilience.",{"items":2839},[2840,2843,2846,2849],{"label":2841,"content":2842},"What is the Protect function in NIST CSF?","The Protect function implements safeguards to ensure delivery of critical services and to limit or contain the impact of cybersecurity events. Protect is where most preventive controls live — identity and access management, encryption, endpoint hardening, secure configuration, awareness training, and infrastructure resilience.",{"label":2844,"content":2845},"How did the Protect function change in NIST CSF 2.0?","NIST CSF 2.0 restructured Protect into five categories: Identity Management, Authentication, and Access Control (PR.AA), Awareness and Training (PR.AT), Data Security (PR.DS), Platform Security (PR.PS), and Technology Infrastructure Resilience (PR.IR). Several CSF 1.1 categories were consolidated — Information Protection Processes and Procedures (PR.IP) and Maintenance (PR.MA) were merged into PR.PS and PR.IR.",{"label":2847,"content":2848},"What is the most impactful Protect category?","Identity Management, Authentication, and Access Control (PR.AA) is typically the highest-leverage Protect category. The majority of modern breaches involve compromised identities — phished credentials, reused passwords, missing MFA, or over-privileged accounts. Strong PR.AA dramatically reduces the blast radius of a successful attack.",{"label":2850,"content":2851},"Do I need every Protect subcategory at the same maturity level?","No. NIST CSF expects organizations to set different target maturity levels for different subcategories based on risk. A healthcare provider may need Tier 4 maturity for PR.DS (Data Security) while Tier 2 is adequate for Platform Security. The target profile built in the Govern function drives these choices.",{},"\u002Fframeworks\u002Fnistcsf\u002Fprotect-function",[2855,2856,2857,2858],"access-control","encryption","key-management","mfa",[1413,2860,325,326],"detect-function",{"title":2862,"description":2863},"NIST CSF Protect Function (PR): Categories, Subcategories, and Implementation","The NIST CSF Protect function deploys safeguards that limit the impact of cybersecurity events. Learn PR.AA, PR.AT, PR.DS, PR.PS, and PR.IR and how to implement each.","5.frameworks\u002Fnistcsf\u002Fprotect-function","nJ2OlmDAyPKZSfd8fAdVWZdo_-azkkrhNIPJ2LSCfAw",{"id":2867,"title":2868,"body":2869,"description":3119,"extension":298,"faq":3120,"frameworkSlug":313,"lastUpdated":314,"meta":3134,"navigation":316,"path":3135,"relatedTerms":3136,"relatedTopics":3140,"seo":3141,"stem":3144,"__hash__":3145},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Frecover-function.md","NIST CSF Recover Function",{"type":8,"value":2870,"toc":3108},[2871,2875,2881,2884,2887,2891,2894,2930,2933,2937,2940,2943,2975,2979,2982,2984,2987,3030,3032,3035,3079,3083,3086,3089,3091,3099],[11,2872,2874],{"id":2873},"what-is-the-nist-csf-recover-function","What is the NIST CSF Recover function?",[16,2876,18,2877,2880],{},[20,2878,2879],{},"Recover (RC) function"," is the final function in the NIST Cybersecurity Framework lifecycle. Its purpose is to maintain plans for resilience and to restore any capabilities or services that were impaired by a cybersecurity incident. Recover picks up where Respond ends — once the attacker has been contained and eradicated, Recover is responsible for getting the business back to normal operation, rebuilding trust with customers and regulators, and capturing lessons that strengthen the rest of the NIST CSF program.",[16,2882,2883],{},"Recover is the function most often conflated with business continuity and disaster recovery (BC\u002FDR), and for good reason: the two disciplines share tooling, plans, and testing practices. But Recover is specifically the cybersecurity slice of BC\u002FDR. Recovering from a hurricane, a power outage, or a cloud provider failure is traditional BC\u002FDR territory. Recovering from ransomware, destructive malware, data integrity compromise, or a supplier cyber incident adds cybersecurity-specific concerns — forensic preservation, supply-chain verification, credential rotation, and regulatory follow-through — that generic BC\u002FDR plans rarely cover in depth.",[16,2885,2886],{},"Mature organizations treat Recover as the end of an incident lifecycle and the beginning of a program improvement cycle. Every recovery reveals gaps — controls that failed, backups that were incomplete, runbooks that were wrong — and those gaps feed the Identify function's Improvement category and the Govern function's oversight loop.",[11,2888,2890],{"id":2889},"how-recover-changed-in-nist-csf-20","How Recover changed in NIST CSF 2.0",[16,2892,2893],{},"NIST CSF 1.1 contained three Recover categories: Recovery Planning (RC.RP), Improvements (RC.IM), and Communications (RC.CO). NIST CSF 2.0 streamlined Recover into two:",[38,2895,2896,2906],{},[41,2897,2898],{},[44,2899,2900,2902,2904],{},[47,2901,49],{},[47,2903,52],{},[47,2905,55],{},[57,2907,2908,2919],{},[44,2909,2910,2913,2916],{},[62,2911,2912],{},"Incident Recovery Plan Execution",[62,2914,2915],{},"RC.RP",[62,2917,2918],{},"Executing recovery plans to restore services, systems, and data",[44,2920,2921,2924,2927],{},[62,2922,2923],{},"Incident Recovery Communication",[62,2925,2926],{},"RC.CO",[62,2928,2929],{},"Internal and external communications during and after recovery",[16,2931,2932],{},"The Improvements category (RC.IM) was moved to the Identify function as part of the new Improvement category (ID.IM), and recovery planning itself (the development and maintenance of recovery plans) is now governed through the Govern function's policy and oversight categories. The remaining Recover function is tightly focused on execution and communication during the recovery phase.",[86,2934,2936],{"id":2935},"incident-recovery-plan-execution-rcrp","Incident Recovery Plan Execution (RC.RP)",[16,2938,2939],{},"RC.RP covers the actual execution of the organization's incident recovery plans: restoring systems and data from known-good sources, verifying the integrity of restored systems, re-issuing credentials, re-establishing network connectivity, and returning services to production in a controlled sequence. RC.RP outcomes include tested recovery procedures, defined recovery priorities based on business criticality, and clear handoff protocols from the Respond function.",[16,2941,2942],{},"Key RC.RP considerations:",[97,2944,2945,2951,2957,2963,2969],{},[100,2946,2947,2950],{},[20,2948,2949],{},"Backup integrity and immutability."," Backups that were encrypted by ransomware are not backups. Immutable, air-gapped, or offline backups are core to modern RC.RP.",[100,2952,2953,2956],{},[20,2954,2955],{},"Known-good restoration sources."," Rebuilding from potentially compromised golden images reintroduces the same compromise. RC.RP requires verified clean sources.",[100,2958,2959,2962],{},[20,2960,2961],{},"Forensic preservation before restoration."," Restoring systems without first preserving forensic evidence destroys information that may be needed later.",[100,2964,2965,2968],{},[20,2966,2967],{},"Staged restoration."," Critical business services come back first, in an order that accounts for dependencies between systems.",[100,2970,2971,2974],{},[20,2972,2973],{},"Credential and secret rotation."," Any credential that could have been exposed during the incident must be rotated before services return to production.",[86,2976,2978],{"id":2977},"incident-recovery-communication-rcco","Incident Recovery Communication (RC.CO)",[16,2980,2981],{},"RC.CO covers the communications specific to the recovery phase: status updates to customers, partners, regulators, and employees during restoration; public updates if the incident was disclosed; and post-recovery communications that close out the incident. RC.CO continues the communication discipline established in the Respond function's RS.CO category but shifts focus from incident acknowledgment to restoration progress and final resolution.",[11,2983,145],{"id":144},[16,2985,2986],{},"A pragmatic sequence for standing up the Recover function:",[150,2988,2989,2995,3001,3007,3013,3019,3025],{},[100,2990,2991,2994],{},[20,2992,2993],{},"Align with the business."," Work with business stakeholders to document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical business service. These anchor every other Recover decision.",[100,2996,2997,3000],{},[20,2998,2999],{},"Map technical recovery capabilities to business services."," Each critical business service should have a documented recovery runbook that maps systems, data, dependencies, and responsible teams.",[100,3002,3003,3006],{},[20,3004,3005],{},"Harden backups."," Immutable backups, air-gapped copies, and regularly tested restore procedures are the foundation of modern cybersecurity recovery.",[100,3008,3009,3012],{},[20,3010,3011],{},"Test recoveries."," A backup that has never been restored is not a backup. Schedule regular restore tests and include full end-to-end business service recovery in annual exercises.",[100,3014,3015,3018],{},[20,3016,3017],{},"Pre-stage clean images."," Maintain verified clean golden images of critical systems outside of the production environment so that recovery is not dependent on the compromised environment.",[100,3020,3021,3024],{},[20,3022,3023],{},"Rehearse communications."," Include RC.CO communication drills in tabletop exercises so that customer updates, regulator updates, and employee communications during a recovery are not improvised.",[100,3026,3027,3029],{},[20,3028,1619],{}," Every real recovery and every exercise produces lessons learned that feed ID.IM and update policies and controls across the NIST CSF program.",[11,3031,197],{"id":196},[16,3033,3034],{},"Recover programs commonly hit these walls:",[97,3036,3037,3043,3049,3055,3061,3067,3073],{},[100,3038,3039,3042],{},[20,3040,3041],{},"Untested backups."," Organizations discover during a real incident that their backups are incomplete, corrupted, stored in a compromised location, or cannot be restored within the RTO.",[100,3044,3045,3048],{},[20,3046,3047],{},"Ransomware on backups."," Attackers deliberately target backup infrastructure. Backups without immutability or offline copies fail exactly when they are needed.",[100,3050,3051,3054],{},[20,3052,3053],{},"RTO and RPO assumptions that don't match reality."," RTO and RPO numbers written in a BC\u002FDR plan often have no relationship to what is actually achievable. Testing surfaces the gap.",[100,3056,3057,3060],{},[20,3058,3059],{},"Forgotten dependencies."," Systems restored without their dependencies (identity providers, DNS, secrets management, logging) restart in a broken state. Dependency mapping is a core Recover discipline.",[100,3062,3063,3066],{},[20,3064,3065],{},"Reintroducing compromise."," Rebuilding from potentially compromised images or failing to rotate credentials allows the attacker to return the moment services come back online.",[100,3068,3069,3072],{},[20,3070,3071],{},"Recovery without communication."," Customers who do not hear from you during a recovery assume the worst. Silence is a choice and usually the wrong one.",[100,3074,3075,3078],{},[20,3076,3077],{},"No lessons-learned process."," Organizations that close out incidents without a structured review lose the single biggest benefit of having had the incident.",[11,3080,3082],{"id":3081},"measuring-recover-outcomes","Measuring Recover outcomes",[16,3084,3085],{},"The primary Recover metrics are the two that most directly reflect business impact: Recovery Time Objective (RTO) and Recovery Point Objective (RPO), expressed for each critical business service and compared against the actual RTO and RPO achieved in exercises and real recoveries. Mature programs add supporting metrics: backup coverage of critical systems, backup restoration test success rate, percentage of recoveries completed within the stated RTO, time to first customer communication during a recovery, and the percentage of recoveries that produced a documented lessons-learned review. Outcomes are only credible when the underlying restoration procedures have been tested against realistic cybersecurity scenarios — not just generic infrastructure-loss scenarios.",[16,3087,3088],{},"Ransomware-specific recovery readiness deserves its own review cadence. Can the organization restore a full critical service from immutable or offline backups without touching the compromised environment? Are golden images verified, stored outside the blast radius, and recent enough to matter? Are credential rotation runbooks tested at scale? These questions have become table-stakes for any serious NIST CSF Recover function and should be reviewed explicitly by the Govern function's oversight process.",[11,3090,252],{"id":251},[16,3092,3093,3094,261,3096,3098],{},"episki maps every Recover subcategory to the plans, playbooks, backup systems, and test schedules that actually deliver the outcome. Recovery plans are structured data with linked dependencies, owners, and test history — not static documents in a shared drive. RTO and RPO targets are measurable and tracked against real recovery tests. Post-recovery lessons learned automatically flow into the NIST CSF improvement category (ID.IM) and into the Protect, Detect, Respond, and Govern functions so that every recovery makes the program stronger. Evidence of recovery tests, plan reviews, and improvements maps automatically to the corresponding requirements in ",[257,3095,260],{"href":259},[257,3097,265],{"href":264},", HIPAA, PCI DSS, and CMMC.",[16,3100,3101,3102,276,3105,282],{},"Ready to know — not hope — that the NIST CSF Recover function will work when it has to? ",[257,3103,275],{"href":272,"rel":3104},[274],[257,3106,281],{"href":279,"rel":3107},[274],{"title":284,"searchDepth":285,"depth":285,"links":3109},[3110,3111,3115,3116,3117,3118],{"id":2873,"depth":285,"text":2874},{"id":2889,"depth":285,"text":2890,"children":3112},[3113,3114],{"id":2935,"depth":291,"text":2936},{"id":2977,"depth":291,"text":2978},{"id":144,"depth":285,"text":145},{"id":196,"depth":285,"text":197},{"id":3081,"depth":285,"text":3082},{"id":251,"depth":285,"text":252},"A complete guide to the NIST CSF Recover function — recovery planning, recovery execution, improvements, and communications after a cybersecurity incident.",{"items":3121},[3122,3125,3128,3131],{"label":3123,"content":3124},"What is the Recover function in NIST CSF?","The Recover function maintains plans for resilience and restores any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, recovery execution, improvements based on lessons learned, and the internal and external communications associated with restoration.",{"label":3126,"content":3127},"How did the Recover function change in NIST CSF 2.0?","NIST CSF 2.0 consolidated Recover into two categories: Incident Recovery Plan Execution (RC.RP) and Incident Recovery Communication (RC.CO). The Improvements category from CSF 1.1 was moved into the Identify function's new Improvement category (ID.IM). Recovery planning itself is now governed through the Govern function.",{"label":3129,"content":3130},"How does Recover relate to business continuity and disaster recovery?","Recover is the cybersecurity-specific subset of the broader business continuity and disaster recovery (BC\u002FDR) discipline. Cybersecurity recovery plans should be aligned with the organization's BC\u002FDR strategy but explicitly account for cybersecurity scenarios such as ransomware, destructive malware, data integrity loss, and supplier cyber incidents that disrupt service.",{"label":3132,"content":3133},"What are the key metrics for the Recover function?","The two most important Recover metrics are Recovery Time Objective (RTO) — how quickly a service must be restored — and Recovery Point Objective (RPO) — how much data loss is tolerable. Mature programs also track the actual RTO and RPO achieved during tests and real incidents, plus the completeness and integrity of restored systems and data.",{},"\u002Fframeworks\u002Fnistcsf\u002Frecover-function",[3137,3138,3139],"business-continuity","disaster-recovery","incident-response",[324,323,325,326],{"title":3142,"description":3143},"NIST CSF Recover Function (RC): Categories, Subcategories, and Implementation","The NIST CSF Recover function restores services after an incident. Learn RC.RP and RC.CO, tie recovery to BCP\u002FDR, and close the loop into program improvements.","5.frameworks\u002Fnistcsf\u002Frecover-function","5iQs28bWT86rKeVSX4XwA3wdQpNLEYGdOlk4_D4Isp0",{"id":3147,"title":3148,"body":3149,"description":3397,"extension":298,"faq":3398,"frameworkSlug":313,"lastUpdated":314,"meta":3412,"navigation":316,"path":3413,"relatedTerms":3414,"relatedTopics":3416,"seo":3418,"stem":3421,"__hash__":3422},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Frespond-function.md","NIST CSF Respond Function",{"type":8,"value":3150,"toc":3384},[3151,3155,3161,3164,3167,3171,3174,3232,3235,3239,3242,3246,3249,3253,3256,3260,3263,3265,3268,3312,3314,3317,3355,3359,3362,3365,3367,3375],[11,3152,3154],{"id":3153},"what-is-the-nist-csf-respond-function","What is the NIST CSF Respond function?",[16,3156,18,3157,3160],{},[20,3158,3159],{},"Respond (RS) function"," contains the activities an organization performs once a cybersecurity incident has been detected. Respond is the function that gets stress-tested under the worst conditions: at 3 a.m., with incomplete information, under regulatory pressure, while the attacker is still in the environment. The quality of an organization's Respond function is often invisible until the moment it is desperately needed.",[16,3162,3163],{},"Respond in the NIST Cybersecurity Framework is deliberately broader than what many organizations call \"incident response.\" It includes not only the technical work of containment, eradication, and analysis, but also the governance work of coordinating legal, communications, human resources, insurance, law enforcement, and regulators. A technically excellent containment performed without legal oversight, without regulator notification, or without customer communication can still produce a catastrophic outcome.",[16,3165,3166],{},"Respond is where the Govern function's policies and the Identify function's asset and risk data get their most important test. An incident response team fights better with a current asset inventory, clear ownership, a defined risk-tolerance decision authority, and pre-approved communication templates. Every shortcut taken during Identify, Govern, and Protect shows up during Respond.",[11,3168,3170],{"id":3169},"how-respond-changed-in-nist-csf-20","How Respond changed in NIST CSF 2.0",[16,3172,3173],{},"NIST CSF 1.1 organized Respond into five categories: Response Planning (RS.RP), Communications (RS.CO), Analysis (RS.AN), Mitigation (RS.MI), and Improvements (RS.IM). NIST CSF 2.0 restructured this into four:",[38,3175,3176,3186],{},[41,3177,3178],{},[44,3179,3180,3182,3184],{},[47,3181,49],{},[47,3183,52],{},[47,3185,55],{},[57,3187,3188,3199,3210,3221],{},[44,3189,3190,3193,3196],{},[62,3191,3192],{},"Incident Management",[62,3194,3195],{},"RS.MA",[62,3197,3198],{},"Executing the incident response plan, triage, categorization, escalation",[44,3200,3201,3204,3207],{},[62,3202,3203],{},"Incident Analysis",[62,3205,3206],{},"RS.AN",[62,3208,3209],{},"Investigating scope, root cause, impact, and preserving evidence",[44,3211,3212,3215,3218],{},[62,3213,3214],{},"Incident Response Reporting and Communication",[62,3216,3217],{},"RS.CO",[62,3219,3220],{},"Internal, external, regulatory, and law enforcement communications",[44,3222,3223,3226,3229],{},[62,3224,3225],{},"Incident Mitigation",[62,3227,3228],{},"RS.MI",[62,3230,3231],{},"Containment, eradication, and prevention of further expansion",[16,3233,3234],{},"The Improvements category from CSF 1.1 was folded into the Identify function's new Improvement category (ID.IM) and into the Govern function. Response Planning is now largely owned by the Govern function (policy, plans, playbooks) with execution governed by RS.MA.",[86,3236,3238],{"id":3237},"incident-management-rsma","Incident Management (RS.MA)",[16,3240,3241],{},"RS.MA covers the execution of the incident response plan itself — how incidents are declared, triaged, categorized by severity, escalated to the appropriate authorities, and managed through a defined lifecycle. RS.MA also covers the coordination of roles across IT, security, legal, human resources, communications, executives, and external partners. A well-run RS.MA process produces a consistent experience regardless of which incident commander is on duty.",[86,3243,3245],{"id":3244},"incident-analysis-rsan","Incident Analysis (RS.AN)",[16,3247,3248],{},"RS.AN is the investigative arm of the Respond function. It covers forensic analysis of affected systems, scope determination, root cause analysis, evidence preservation, and correlation with external threat intelligence. RS.AN outputs feed both RS.MI (so mitigations are targeted correctly) and the post-incident lessons-learned loop that drives ID.IM.",[86,3250,3252],{"id":3251},"incident-response-reporting-and-communication-rsco","Incident Response Reporting and Communication (RS.CO)",[16,3254,3255],{},"RS.CO covers every communication associated with an incident: internal updates to leadership and employees, external updates to customers and partners, regulatory notifications (breach notification laws, SEC disclosure, sector-specific rules), law enforcement coordination, insurance claim notifications, and public-relations statements. RS.CO is where many incidents turn from manageable into publicly damaging. Pre-drafted templates, decision authorities, and rehearsed communication protocols are non-negotiable.",[86,3257,3259],{"id":3258},"incident-mitigation-rsmi","Incident Mitigation (RS.MI)",[16,3261,3262],{},"RS.MI is the containment and eradication arm: isolating affected systems, revoking compromised credentials, blocking malicious network traffic, removing persistence, patching exploited vulnerabilities, and ensuring the attacker cannot regain access. RS.MI hands off to the Recover function once eradication is complete and restoration begins.",[11,3264,145],{"id":144},[16,3266,3267],{},"A pragmatic sequence for operating the Respond function:",[150,3269,3270,3276,3282,3288,3294,3300,3306],{},[100,3271,3272,3275],{},[20,3273,3274],{},"Write a usable incident response plan."," A ten-page plan that assigns roles, lists escalation contacts, documents severity criteria, and references playbooks for common scenarios beats a hundred-page compliance artifact.",[100,3277,3278,3281],{},[20,3279,3280],{},"Name an incident commander role."," One person (with backups) runs each incident. Ambiguity in command costs time.",[100,3283,3284,3287],{},[20,3285,3286],{},"Pre-draft communication templates."," Customer notifications, internal all-hands announcements, regulator notifications, and board briefings should be drafted, reviewed by legal and communications, and stored with the incident response plan.",[100,3289,3290,3293],{},[20,3291,3292],{},"Rehearse."," Tabletop exercises at least annually, ideally quarterly, with realistic scenarios drawn from current threat intelligence. Include legal, communications, and executives in the exercises.",[100,3295,3296,3299],{},[20,3297,3298],{},"Establish external relationships before you need them."," Digital forensics and incident response (DFIR) retainer, cyber insurance carrier contacts, outside counsel, law enforcement liaisons — all identified and contracted in advance.",[100,3301,3302,3305],{},[20,3303,3304],{},"Integrate with Detect."," Clear escalation criteria from DE.AE into RS.MA so analysts know exactly when an adverse event becomes a declared incident.",[100,3307,3308,3311],{},[20,3309,3310],{},"Close the loop."," Every incident produces a post-incident review that feeds improvements into ID.IM, Govern, and the Protect and Detect backlogs.",[11,3313,197],{"id":196},[16,3315,3316],{},"Respond programs commonly hit these walls:",[97,3318,3319,3325,3331,3337,3343,3349],{},[100,3320,3321,3324],{},[20,3322,3323],{},"Plans that exist on paper but not in practice."," An incident response plan that has not been rehearsed in the last twelve months is a liability.",[100,3326,3327,3330],{},[20,3328,3329],{},"Ambiguous decision authority."," During an incident there is no time to debate who can authorize taking systems offline, issuing a customer notification, or engaging law enforcement. Decision authorities must be documented in advance.",[100,3332,3333,3336],{},[20,3334,3335],{},"Regulatory notification misses."," Breach notification laws and sector-specific rules (HIPAA, PCI DSS, GDPR, state privacy laws, SEC cybersecurity disclosure, DORA) have tight clocks. Tracking regulator obligations per data type per jurisdiction is a core Respond capability that belongs in the Govern function's organizational context.",[100,3338,3339,3342],{},[20,3340,3341],{},"Evidence handling mistakes."," Rebooting a compromised system, deleting logs, or operating from a memory image without preservation practices destroys forensic evidence that may be needed for civil, criminal, insurance, or regulatory purposes.",[100,3344,3345,3348],{},[20,3346,3347],{},"Communication silence."," Delayed or inconsistent communication during an incident erodes trust with customers, regulators, and employees. Pre-approved templates and a defined communication cadence are essential.",[100,3350,3351,3354],{},[20,3352,3353],{},"No integration with Recover."," Respond and Recover are separate NIST CSF functions but they share time and people. A handoff protocol between the two is easy to overlook.",[11,3356,3358],{"id":3357},"measuring-respond-outcomes","Measuring Respond outcomes",[16,3360,3361],{},"Respond metrics focus on speed, consistency, and completeness. The headline metrics are mean time to contain (MTTC) — how quickly an active incident is contained after detection — and mean time to eradicate (MTTE) — how quickly the attacker is fully removed from the environment. Beyond the time metrics, mature programs also track the percentage of incidents managed fully within the documented playbook, the time to first external communication for publicly disclosable incidents, on-time rate for regulatory notifications, and the proportion of incidents that produced a documented lessons-learned review. Those last two metrics tie Respond directly to Govern's oversight expectations and to ID.IM.",[16,3363,3364],{},"Tabletop exercise cadence and realism are themselves measurable. Organizations that run two or more cross-functional tabletops per year, involve executives and legal counsel, and introduce curveballs drawn from current threat intelligence consistently outperform organizations that treat tabletops as an annual compliance check. Exercise outputs — gaps identified, playbook updates, new contact information — belong in the same improvement loop that captures lessons from real incidents.",[11,3366,252],{"id":251},[16,3368,3369,3370,261,3372,3374],{},"episki operationalizes the Respond function end to end: incident response plans, playbooks, tabletop exercise schedules, contact directories, communication templates, and regulatory notification trackers live as structured data rather than scattered documents. Incidents are declared, tracked, and triaged in a workflow that captures RS.MA, RS.AN, RS.CO, and RS.MI evidence automatically, producing audit-ready artifacts for ",[257,3371,260],{"href":259},[257,3373,265],{"href":264},", HIPAA, and PCI DSS reviewers. Post-incident reviews feed improvements directly into the Protect, Detect, Govern, and Identify functions so that every incident makes the next one less likely.",[16,3376,3377,3378,276,3381,282],{},"Ready to prove the NIST CSF Respond function before the next incident does? ",[257,3379,275],{"href":272,"rel":3380},[274],[257,3382,281],{"href":279,"rel":3383},[274],{"title":284,"searchDepth":285,"depth":285,"links":3385},[3386,3387,3393,3394,3395,3396],{"id":3153,"depth":285,"text":3154},{"id":3169,"depth":285,"text":3170,"children":3388},[3389,3390,3391,3392],{"id":3237,"depth":291,"text":3238},{"id":3244,"depth":291,"text":3245},{"id":3251,"depth":291,"text":3252},{"id":3258,"depth":291,"text":3259},{"id":144,"depth":285,"text":145},{"id":196,"depth":285,"text":197},{"id":3357,"depth":285,"text":3358},{"id":251,"depth":285,"text":252},"A complete guide to the NIST CSF Respond function — incident management, analysis, mitigation, reporting, and communications during a cybersecurity event.",{"items":3399},[3400,3403,3406,3409],{"label":3401,"content":3402},"What is the Respond function in NIST CSF?","The Respond function contains the activities an organization takes once a cybersecurity incident has been detected. Respond covers incident management, analysis, mitigation, reporting, and both internal and external communications. Its purpose is to contain the impact of an incident, preserve evidence, meet regulatory notification obligations, and set up the Recover function to restore operations.",{"label":3404,"content":3405},"How did the Respond function change in NIST CSF 2.0?","NIST CSF 2.0 restructured Respond around four categories: Incident Management (RS.MA), Incident Analysis (RS.AN), Incident Response Reporting and Communication (RS.CO), and Incident Mitigation (RS.MI). The Improvements category from CSF 1.1 was consolidated into Identify's new Improvement category (ID.IM) and the Govern function.",{"label":3407,"content":3408},"What is the difference between Respond and Recover?","Respond focuses on the active phase of the incident: containment, eradication, analysis, and communication. Recover focuses on restoring normal operations, implementing long-term improvements, and communicating recovery progress. Many Recover activities begin during Respond — the two functions overlap in time but have distinct outcomes.",{"label":3410,"content":3411},"Do small organizations need a formal incident response plan?","Yes. Regardless of size, organizations need a written incident response plan that names roles, escalation paths, internal and external communication templates, and legal and regulatory notification obligations. The plan does not need to be long — a tight ten-page plan that the team has actually rehearsed beats a hundred-page plan nobody has read.",{},"\u002Fframeworks\u002Fnistcsf\u002Frespond-function",[3139,3415],"breach-notification",[2860,3417,325,326],"recover-function",{"title":3419,"description":3420},"NIST CSF Respond Function (RS): Categories, Subcategories, and Implementation","The NIST CSF Respond function governs how organizations act during a cybersecurity incident. Learn RS.MA, RS.AN, RS.MI, RS.CO, and the incident response lifecycle.","5.frameworks\u002Fnistcsf\u002Frespond-function","SUZBzjb_BPnrxko3-oVHbxv00dUiqGYtJXoeYmGf9S8",{"id":3424,"title":3425,"body":3426,"description":3762,"extension":298,"faq":3763,"frameworkSlug":313,"lastUpdated":314,"meta":3777,"navigation":316,"path":352,"relatedTerms":3778,"relatedTopics":3779,"seo":3780,"stem":3783,"__hash__":3784},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fv2-changes.md","NIST CSF 2.0 Changes",{"type":8,"value":3427,"toc":3741},[3428,3432,3435,3438,3442,3445,3449,3452,3456,3459,3465,3471,3477,3482,3487,3493,3497,3503,3507,3510,3513,3524,3527,3531,3534,3538,3544,3550,3570,3576,3580,3583,3587,3590,3594,3597,3600,3604,3607,3628,3634,3638,3641,3655,3658,3662,3668,3671,3675,3678,3681,3701,3705,3708,3714,3720,3726,3732,3738],[11,3429,3431],{"id":3430},"the-evolution-to-nist-csf-20","The evolution to NIST CSF 2.0",[16,3433,3434],{},"The National Institute of Standards and Technology (NIST) published the Cybersecurity Framework 2.0 in February 2024, marking the first major revision since the framework's original release in 2014 and its minor update to version 1.1 in 2018. CSF 2.0 reflects a decade of real-world usage, stakeholder feedback, and lessons learned from the evolving cybersecurity landscape.",[16,3436,3437],{},"The update was driven by several factors: the need to address governance gaps that organizations encountered when implementing the original framework, the expanding scope of cybersecurity risk beyond critical infrastructure, the growing importance of supply chain security, and the desire to improve the framework's usability for organizations of all sizes and maturity levels.",[11,3439,3441],{"id":3440},"the-new-govern-function","The new Govern function",[16,3443,3444],{},"The most significant structural change in NIST CSF 2.0 is the addition of a sixth core function: Govern (GV). This function elevates cybersecurity governance from a subcategory within the Identify function to a standalone function that underpins all five original functions.",[86,3446,3448],{"id":3447},"why-governance-was-elevated","Why governance was elevated",[16,3450,3451],{},"In NIST CSF 1.1, governance was addressed through the Identify function's Governance category (ID.GV). In practice, organizations often treated governance as a secondary concern, focusing on technical controls in the Protect and Detect functions while neglecting the management structures needed to sustain those controls. CSF 2.0 addresses this by making governance an explicit, top-level function that informs and directs all other cybersecurity activities.",[86,3453,3455],{"id":3454},"govern-function-categories","Govern function categories",[16,3457,3458],{},"The Govern function includes the following categories:",[16,3460,3461,3464],{},[20,3462,3463],{},"Organizational context (GV.OC)"," - Understand the organizational mission, stakeholder expectations, and legal and regulatory requirements that influence cybersecurity risk management. This category ensures that cybersecurity strategy aligns with business objectives.",[16,3466,3467,3470],{},[20,3468,3469],{},"Risk management strategy (GV.RM)"," - Establish and communicate the organization's cybersecurity risk management priorities, constraints, risk tolerance, and appetite. This was previously under the Identify function but is now positioned as a governance responsibility, reinforcing that risk management strategy is a leadership decision.",[16,3472,3473,3476],{},[20,3474,3475],{},"Roles, responsibilities, and authorities (GV.RR)"," - Define and communicate cybersecurity roles, responsibilities, and authorities across the organization. This includes ensuring that cybersecurity responsibilities are assigned at appropriate levels and that personnel have the authority and resources to fulfill their roles.",[16,3478,3479,3481],{},[20,3480,1261],{}," - Establish, communicate, and enforce cybersecurity policies that are informed by the organizational context and risk management strategy. Policies should be reviewed and updated regularly to remain current with evolving threats and business changes.",[16,3483,3484,3486],{},[20,3485,1268],{}," - Use results from cybersecurity risk management activities to inform and adjust the organization's strategy. This creates a feedback loop where operational cybersecurity data informs governance decisions, which in turn shape operational priorities.",[16,3488,3489,3492],{},[20,3490,3491],{},"Cybersecurity supply chain risk management (GV.SC)"," - Identify, establish, manage, monitor, and improve supply chain cybersecurity risk management processes. This category was significantly expanded from its position in CSF 1.1 and is discussed in detail below.",[86,3494,3496],{"id":3495},"impact-on-existing-programs","Impact on existing programs",[16,3498,3499,3500,3502],{},"Organizations that built their cybersecurity programs around the original five functions will need to restructure their ",[257,3501,593],{"href":592}," to incorporate the Govern function. In many cases, the activities described in the Govern function are already being performed but may not be formally documented or consistently applied. The elevation to a standalone function provides an opportunity to formalize and strengthen governance practices.",[11,3504,3506],{"id":3505},"expanded-scope-beyond-critical-infrastructure","Expanded scope beyond critical infrastructure",[16,3508,3509],{},"NIST CSF 1.0 was originally developed under Executive Order 13636 with a primary focus on critical infrastructure sectors (energy, healthcare, financial services, etc.). While it was always available for any organization to use, its framing and examples were oriented toward critical infrastructure.",[16,3511,3512],{},"NIST CSF 2.0 explicitly broadens the framework's intended audience to all organizations, regardless of size, sector, or cybersecurity maturity. This change is reflected in several ways:",[97,3514,3515,3518,3521],{},[100,3516,3517],{},"The framework's title dropped \"for Improving Critical Infrastructure Cybersecurity\" in favor of broader applicability",[100,3519,3520],{},"Examples and guidance address the needs of small and medium-sized organizations alongside large enterprises",[100,3522,3523],{},"Implementation guidance recognizes that organizations at different maturity levels need different levels of prescriptiveness",[16,3525,3526],{},"This expanded scope also makes NIST CSF 2.0 more relevant internationally, as organizations outside the United States increasingly adopt the framework as a voluntary standard for cybersecurity risk management.",[11,3528,3530],{"id":3529},"enhanced-supply-chain-risk-management","Enhanced supply chain risk management",[16,3532,3533],{},"Supply chain cybersecurity risk management received significantly more attention in CSF 2.0 compared to its predecessor. The new Govern function includes a dedicated category (GV.SC) with multiple subcategories addressing supply chain risk.",[86,3535,3537],{"id":3536},"key-supply-chain-changes","Key supply chain changes",[16,3539,3540,3543],{},[20,3541,3542],{},"Dedicated governance category"," - Supply chain risk management is now a governance responsibility with explicit leadership oversight, rather than a technical concern buried within the Identify function.",[16,3545,3546,3549],{},[20,3547,3548],{},"Expanded subcategories"," - CSF 2.0 includes specific subcategories for:",[97,3551,3552,3555,3558,3561,3564,3567],{},[100,3553,3554],{},"Establishing supply chain risk management strategy and policies",[100,3556,3557],{},"Integrating supply chain risk into enterprise risk management",[100,3559,3560],{},"Conducting due diligence on suppliers and third-party partners",[100,3562,3563],{},"Monitoring supplier cybersecurity practices throughout the relationship lifecycle",[100,3565,3566],{},"Planning for supply chain disruptions and compromises",[100,3568,3569],{},"Including cybersecurity requirements in contracts and agreements",[16,3571,3572,3575],{},[20,3573,3574],{},"Supply chain risk in all functions"," - Beyond the Govern function, supply chain considerations are woven into the other five functions. For example, the Identify function addresses identifying and prioritizing suppliers, the Protect function covers securing supply chain interactions, and the Respond function addresses responding to supply chain incidents.",[86,3577,3579],{"id":3578},"why-supply-chain-focus-increased","Why supply chain focus increased",[16,3581,3582],{},"Several high-profile supply chain attacks (SolarWinds, Kaseya, Log4j) demonstrated that third-party risk is one of the most significant cybersecurity challenges facing organizations. CSF 2.0 reflects the reality that an organization's cybersecurity posture is only as strong as its weakest supply chain link.",[11,3584,3586],{"id":3585},"improved-implementation-guidance","Improved implementation guidance",[16,3588,3589],{},"NIST CSF 2.0 introduces significant improvements to help organizations put the framework into practice.",[86,3591,3593],{"id":3592},"implementation-examples","Implementation examples",[16,3595,3596],{},"CSF 2.0 provides implementation examples for each subcategory, offering concrete actions that organizations can take. These examples are not prescriptive requirements but rather illustrative guidance that helps organizations, particularly smaller ones, understand what each subcategory looks like in practice.",[16,3598,3599],{},"For example, under the Protect function's data security category, implementation examples might include encrypting data at rest using AES-256, implementing data loss prevention tools, or classifying data based on sensitivity levels. These examples make the framework more accessible to organizations that lack dedicated compliance teams.",[86,3601,3603],{"id":3602},"informative-references","Informative references",[16,3605,3606],{},"NIST CSF 2.0 maintains and expands its catalog of informative references that map the framework to other standards, guidelines, and best practices. These references include mappings to:",[97,3608,3609,3612,3615,3618,3621,3625],{},[100,3610,3611],{},"NIST SP 800-53 (Security and Privacy Controls)",[100,3613,3614],{},"ISO 27001 and ISO 27002",[100,3616,3617],{},"COBIT",[100,3619,3620],{},"CIS Controls",[100,3622,3623],{},[257,3624,603],{"href":602},[100,3626,3627],{},"HIPAA Security Rule",[16,3629,3630,3631,3633],{},"The informative references are now maintained as a separate, regularly updated resource rather than being embedded in the framework document. This allows mappings to be updated as referenced standards evolve without requiring a new version of the CSF itself. See the ",[257,3632,978],{"href":597}," topic for practical guidance on using these mappings.",[86,3635,3637],{"id":3636},"quick-start-guides","Quick start guides",[16,3639,3640],{},"NIST published companion quick start guides alongside CSF 2.0 to help specific audiences get started:",[97,3642,3643,3646,3649,3652],{},[100,3644,3645],{},"A guide for small businesses that simplifies the framework into actionable steps",[100,3647,3648],{},"A guide for enterprise risk managers that connects CSF 2.0 to enterprise risk management",[100,3650,3651],{},"A guide for creating and using organizational profiles",[100,3653,3654],{},"A guide for supply chain risk management",[16,3656,3657],{},"These guides lower the barrier to adoption for organizations that found the original framework document dense or difficult to operationalize.",[11,3659,3661],{"id":3660},"updated-tiers-and-profiles","Updated tiers and profiles",[16,3663,3664,3665,3667],{},"While the ",[257,3666,588],{"href":587}," (Partial, Risk Informed, Repeatable, Adaptive) remain conceptually the same in CSF 2.0, they have been updated to incorporate the Govern function. Organizations now assess their tier across six functions rather than five, with governance maturity playing a significant role in the overall tier assessment.",[16,3669,3670],{},"Framework profiles in CSF 2.0 also incorporate the Govern function and benefit from improved guidance on how to create, compare, and communicate profiles. The concept of community profiles -- profiles developed by a sector, industry group, or other community to address shared cybersecurity concerns -- is more prominent in CSF 2.0. Community profiles can serve as starting points that individual organizations customize to their specific needs.",[11,3672,3674],{"id":3673},"continuous-improvement-emphasis","Continuous improvement emphasis",[16,3676,3677],{},"CSF 2.0 strengthens the emphasis on continuous improvement throughout the framework. The Govern function's Oversight category (GV.OV) creates an explicit feedback loop between operational cybersecurity activities and governance decisions. This reinforces that cybersecurity is not a project with a defined end state but an ongoing program that must adapt to changing threats, technologies, and business conditions.",[16,3679,3680],{},"The framework now more clearly articulates the cycle of:",[150,3682,3683,3686,3689,3692,3695,3698],{},[100,3684,3685],{},"Understanding your current posture (current profile)",[100,3687,3688],{},"Defining your target posture (target profile)",[100,3690,3691],{},"Identifying and prioritizing gaps",[100,3693,3694],{},"Implementing improvements",[100,3696,3697],{},"Measuring results",[100,3699,3700],{},"Adjusting strategy based on outcomes (feeding back into governance)",[11,3702,3704],{"id":3703},"transitioning-from-csf-11-to-20","Transitioning from CSF 1.1 to 2.0",[16,3706,3707],{},"Organizations currently using NIST CSF 1.1 should plan a structured transition to CSF 2.0:",[16,3709,3710,3713],{},[20,3711,3712],{},"Assess governance maturity"," - Evaluate your existing governance practices against the new Govern function. Many organizations will find that they are already performing some governance activities but need to formalize and document them.",[16,3715,3716,3719],{},[20,3717,3718],{},"Update framework profiles"," - Rebuild your current and target profiles to incorporate the Govern function's categories and subcategories. This is also an opportunity to refresh your assessments of the original five functions.",[16,3721,3722,3725],{},[20,3723,3724],{},"Expand supply chain coverage"," - Review and strengthen your supply chain risk management practices against the expanded GV.SC subcategories. This may require new processes for vendor assessment, contract requirements, and ongoing monitoring.",[16,3727,3728,3731],{},[20,3729,3730],{},"Leverage new resources"," - Take advantage of the implementation examples, quick start guides, and updated informative references to fill gaps and improve your program.",[16,3733,3734,3737],{},[20,3735,3736],{},"Update training and communication"," - Ensure that stakeholders across the organization understand the changes in CSF 2.0, particularly the elevated importance of governance and supply chain risk management. Executive leadership should understand how the Govern function affects their responsibilities.",[16,3739,3740],{},"NIST CSF 2.0 represents a maturation of the framework that reflects how cybersecurity risk management has evolved over the past decade. Organizations that embrace the updated structure, particularly the Govern function and enhanced supply chain coverage, will be better positioned to manage cybersecurity risk in an increasingly complex threat environment.",{"title":284,"searchDepth":285,"depth":285,"links":3742},[3743,3744,3749,3750,3754,3759,3760,3761],{"id":3430,"depth":285,"text":3431},{"id":3440,"depth":285,"text":3441,"children":3745},[3746,3747,3748],{"id":3447,"depth":291,"text":3448},{"id":3454,"depth":291,"text":3455},{"id":3495,"depth":291,"text":3496},{"id":3505,"depth":285,"text":3506},{"id":3529,"depth":285,"text":3530,"children":3751},[3752,3753],{"id":3536,"depth":291,"text":3537},{"id":3578,"depth":291,"text":3579},{"id":3585,"depth":285,"text":3586,"children":3755},[3756,3757,3758],{"id":3592,"depth":291,"text":3593},{"id":3602,"depth":291,"text":3603},{"id":3636,"depth":291,"text":3637},{"id":3660,"depth":285,"text":3661},{"id":3673,"depth":285,"text":3674},{"id":3703,"depth":285,"text":3704},"An overview of the key changes in NIST Cybersecurity Framework 2.0, including the new Govern function, expanded scope, and supply chain focus.",{"items":3764},[3765,3768,3771,3774],{"label":3766,"content":3767},"What is the biggest change in NIST CSF 2.0?","The addition of a sixth core function called Govern (GV). This elevates cybersecurity governance from a subcategory within the Identify function to a standalone function that underpins all other cybersecurity activities, emphasizing leadership accountability and risk management strategy.",{"label":3769,"content":3770},"Does NIST CSF 2.0 only apply to critical infrastructure?","No. NIST CSF 2.0 explicitly broadens its scope to all organizations regardless of size, sector, or maturity level. The original framework was primarily focused on critical infrastructure, but 2.0 dropped that limitation and includes guidance for small and medium-sized businesses.",{"label":3772,"content":3773},"Do I need to migrate from CSF 1.1 to 2.0?","While NIST CSF is voluntary, organizations currently using 1.1 should plan a structured transition. Start by assessing your governance maturity against the new Govern function, rebuild your framework profiles to incorporate the sixth function, and expand your supply chain risk coverage.",{"label":3775,"content":3776},"How does NIST CSF 2.0 address supply chain risk?","CSF 2.0 significantly expands supply chain coverage with a dedicated governance category (GV.SC) covering supplier due diligence, contract requirements, ongoing monitoring, and disruption planning. This was driven by high-profile supply chain attacks like SolarWinds and Log4j.",{},[634],[1095,636,326],{"title":3781,"description":3782},"NIST CSF 2.0 vs 1.1: What Changed & What It Means for Your Program","NIST CSF 2.0 adds the Govern function, expands scope beyond critical infrastructure, and strengthens supply chain requirements. Full breakdown with migration steps.","5.frameworks\u002Fnistcsf\u002Fv2-changes","k_8CNxbL7zc7Obs5nIBNJlxu8dIPSzib8H51NYleyKA",{"id":3786,"title":3787,"advantages":3788,"body":3810,"checklist":4323,"cta":4332,"description":284,"extension":298,"faq":4335,"hero":4352,"meta":4366,"name":4367,"navigation":316,"path":4368,"resources":4369,"seo":4382,"slug":313,"stats":4385,"stem":4395,"__hash__":4396},"frameworks\u002F5.frameworks\u002Fnistcsf.md","Nistcsf",[3789,3796,3803],{"title":3790,"description":3791,"bullets":3792},"Tailored CSF roadmap","Start with opinionated baseline controls, then layer your own.",[3793,3794,3795],"Gap analysis highlights missing outcomes","Auto-generated improvement initiatives","Budget impact estimates for leadership",{"title":3797,"description":3798,"bullets":3799},"Continuous monitoring and AI ops","Stream alerts, detections, and incidents into CSF context.",[3800,3801,3802],"Connect SIEM, EDR, and cloud posture tools","AI summarizes incidents for exec updates","Workflows escalate unreviewed alerts",{"title":3804,"description":3805,"bullets":3806},"Board and customer alignment","Share progress externally with confidence.",[3807,3808,3809],"Customizable scorecards for customers or partners","Trend lines show quarter-over-quarter improvements","Trust room access with expiring links",{"type":8,"value":3811,"toc":4301},[3812,3816,3824,3827,3831,3838,3841,3845,3848,3859,3862,3865,3868,3906,3912,3916,3919,3922,3926,3934,3936,3945,3947,3956,3958,3967,3969,3978,3980,3989,3992,3995,4001,4027,4032,4036,4042,4045,4059,4062,4072,4076,4087,4104,4111,4115,4123,4131,4142,4146,4149,4196,4199,4203,4206,4238,4241,4244,4248,4251,4295,4298],[11,3813,3815],{"id":3814},"what-is-nist-csf","What is NIST CSF?",[16,3817,3818,3819,3823],{},"The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the ",[257,3820,3822],{"href":3821},"\u002Fglossary\u002Fnist","National Institute of Standards and Technology",". The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.",[16,3825,3826],{},"NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.",[86,3828,3830],{"id":3829},"nist-origin-and-executive-order-13636","NIST origin and Executive Order 13636",[16,3832,3833,3834,3837],{},"The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed ",[20,3835,3836],{},"Executive Order 13636 — Improving Critical Infrastructure Cybersecurity",", which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.",[16,3839,3840],{},"NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.",[86,3842,3844],{"id":3843},"the-evolution-of-nist-csf","The evolution of NIST CSF",[16,3846,3847],{},"In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.",[16,3849,3850,3851,3854,3855,3858],{},"In February 2024, NIST published ",[20,3852,3853],{},"NIST CSF 2.0"," — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called ",[20,3856,3857],{},"Govern",", reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.",[11,3860,353],{"id":3861},"nist-csf-20-changes",[16,3863,3864],{},"The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.",[16,3866,3867],{},"Highlights of NIST CSF 2.0:",[97,3869,3870,3876,3882,3888,3900],{},[100,3871,3872,3875],{},[20,3873,3874],{},"A sixth function — Govern (GV)"," — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.",[100,3877,3878,3881],{},[20,3879,3880],{},"Explicit scope expansion"," — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.",[100,3883,3884,3887],{},[20,3885,3886],{},"Stronger supply chain focus"," — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.",[100,3889,3890,3892,3893,3896,3897,3899],{},[20,3891,3586],{}," — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to ",[257,3894,3895],{"href":3821},"NIST SP 800-53",", ISO 27001, CIS Controls, ",[257,3898,260],{"href":259},", and more.",[100,3901,3902,3905],{},[20,3903,3904],{},"Refreshed implementation tiers"," — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.",[16,3907,3908,3909,3911],{},"For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our ",[257,3910,353],{"href":352}," guide.",[11,3913,3915],{"id":3914},"the-six-core-functions-of-nist-csf-20","The six core functions of NIST CSF 2.0",[16,3917,3918],{},"The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.",[16,3920,3921],{},"The six NIST CSF 2.0 functions are:",[86,3923,3925],{"id":3924},"govern-gv","Govern (GV)",[16,3927,18,3928,3930,3931,282],{},[20,3929,3857],{}," function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: ",[257,3932,3933],{"href":1408},"NIST CSF Govern function",[86,3935,358],{"id":357},[16,3937,18,3938,3941,3942,282],{},[20,3939,3940],{},"Identify"," function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: ",[257,3943,3944],{"href":1706},"NIST CSF Identify function",[86,3946,412],{"id":411},[16,3948,18,3949,3952,3953,282],{},[20,3950,3951],{},"Protect"," function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: ",[257,3954,3955],{"href":2853},"NIST CSF Protect function",[86,3957,464],{"id":463},[16,3959,18,3960,3963,3964,282],{},[20,3961,3962],{},"Detect"," function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: ",[257,3965,3966],{"href":317},"NIST CSF Detect function",[86,3968,498],{"id":497},[16,3970,18,3971,3974,3975,282],{},[20,3972,3973],{},"Respond"," function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: ",[257,3976,3977],{"href":3413},"NIST CSF Respond function",[86,3979,544],{"id":543},[16,3981,18,3982,3985,3986,282],{},[20,3983,3984],{},"Recover"," function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: ",[257,3987,3988],{"href":3135},"NIST CSF Recover function",[16,3990,3991],{},"Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.",[11,3993,2529],{"id":3994},"nist-csf-implementation-tiers",[16,3996,3997,3998,4000],{},"NIST CSF uses ",[20,3999,588],{}," to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.",[97,4002,4003,4009,4015,4021],{},[100,4004,4005,4008],{},[20,4006,4007],{},"Tier 1 — Partial",": Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.",[100,4010,4011,4014],{},[20,4012,4013],{},"Tier 2 — Risk-Informed",": Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.",[100,4016,4017,4020],{},[20,4018,4019],{},"Tier 3 — Repeatable",": Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.",[100,4022,4023,4026],{},[20,4024,4025],{},"Tier 4 — Adaptive",": The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.",[16,4028,4029,4030,3911],{},"For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our ",[257,4031,2529],{"href":587},[11,4033,4035],{"id":4034},"nist-csf-framework-profiles","NIST CSF framework profiles",[16,4037,4038,4039,4041],{},"A ",[20,4040,2005],{}," is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.",[16,4043,4044],{},"NIST CSF supports two kinds of profiles:",[97,4046,4047,4053],{},[100,4048,4038,4049,4052],{},[20,4050,4051],{},"Current Profile"," describes the cybersecurity outcomes the organization is achieving today.",[100,4054,4038,4055,4058],{},[20,4056,4057],{},"Target Profile"," describes the cybersecurity outcomes the organization wants to achieve.",[16,4060,4061],{},"The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.",[16,4063,4064,4065,4069,4070,282],{},"For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your ",[257,4066,4068],{"href":4067},"\u002Fglossary\u002Fcontrol-framework","control framework"," — see ",[257,4071,4035],{"href":592},[11,4073,4075],{"id":4074},"nist-csf-categories-and-subcategories","NIST CSF categories and subcategories",[16,4077,4078,4079,4082,4083,4086],{},"Below the function layer, NIST CSF decomposes cybersecurity activity into ",[20,4080,4081],{},"categories"," and ",[20,4084,4085],{},"subcategories",". Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.",[97,4088,4089,4099],{},[100,4090,4091,4094,4095,4098],{},[20,4092,4093],{},"NIST CSF 1.1"," defined 23 categories and ",[20,4096,4097],{},"108 subcategories"," across the five original functions.",[100,4100,4101,4103],{},[20,4102,3853],{}," reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.",[16,4105,4106,4107,4110],{},"Every NIST CSF subcategory is written as an outcome — for example, \"PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.\" NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides ",[20,4108,4109],{},"informative references"," that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.",[11,4112,4114],{"id":4113},"mapping-nist-csf-to-other-frameworks","Mapping NIST CSF to other frameworks",[16,4116,4117,4118,261,4120,4122],{},"One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy ",[257,4119,260],{"href":259},[257,4121,265],{"href":264},", HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the \"Rosetta Stone\" that maps each requirement to a common set of outcomes.",[16,4124,4125,4126,4130],{},"For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and ",[257,4127,4129],{"href":4128},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","CMMC",", both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.",[16,4132,4133,4134,4136,4137,4141],{},"For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see ",[257,4135,4114],{"href":597},". If you are actively building that mapping into a live compliance program, our ",[257,4138,4140],{"href":4139},"\u002Fnow\u002Fnist-csf-mapping-compliance","NIST CSF mapping compliance"," guide walks through the operational mechanics.",[11,4143,4145],{"id":4144},"who-uses-nist-csf","Who uses NIST CSF?",[16,4147,4148],{},"The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:",[97,4150,4151,4157,4166,4172,4178,4184,4190],{},[100,4152,4153,4156],{},[20,4154,4155],{},"Critical infrastructure operators"," — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.",[100,4158,4159,4162,4163,282],{},[20,4160,4161],{},"Federal agencies and federal contractors"," — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside ",[257,4164,4165],{"href":4128},"NIST SP 800-171 and the CMMC program",[100,4167,4168,4171],{},[20,4169,4170],{},"State, local, tribal, and territorial (SLTT) governments"," — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.",[100,4173,4174,4177],{},[20,4175,4176],{},"Large enterprises"," — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.",[100,4179,4180,4183],{},[20,4181,4182],{},"Small and mid-sized businesses (SMBs)"," — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.",[100,4185,4186,4189],{},[20,4187,4188],{},"Non-US organizations"," — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.",[100,4191,4192,4195],{},[20,4193,4194],{},"Insurers and investors"," — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.",[16,4197,4198],{},"The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.",[11,4200,4202],{"id":4201},"nist-csf-vs-nist-sp-800-53-vs-nist-sp-800-171","NIST CSF vs NIST SP 800-53 vs NIST SP 800-171",[16,4204,4205],{},"NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.",[97,4207,4208,4218,4228],{},[100,4209,4210,4213,4214,4217],{},[20,4211,4212],{},"NIST CSF (Cybersecurity Framework)"," is an ",[20,4215,4216],{},"outcome-based framework",". It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.",[100,4219,4220,4223,4224,4227],{},[20,4221,4222],{},"NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)"," is a comprehensive ",[20,4225,4226],{},"control catalog",". SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).",[100,4229,4230,4233,4234,4237],{},[20,4231,4232],{},"NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)"," is a ",[20,4235,4236],{},"derived subset"," of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.",[16,4239,4240],{},"The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.",[16,4242,4243],{},"Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.",[11,4245,4247],{"id":4246},"getting-started-with-nist-csf","Getting started with NIST CSF",[16,4249,4250],{},"Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:",[150,4252,4253,4259,4265,4271,4277,4283,4289],{},[100,4254,4255,4258],{},[20,4256,4257],{},"Scope and prioritize"," — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.",[100,4260,4261,4264],{},[20,4262,4263],{},"Build a Current Profile"," — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.",[100,4266,4267,4270],{},[20,4268,4269],{},"Build a Target Profile"," — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.",[100,4272,4273,4276],{},[20,4274,4275],{},"Perform a gap analysis"," — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.",[100,4278,4279,4282],{},[20,4280,4281],{},"Select implementation tiers"," — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.",[100,4284,4285,4288],{},[20,4286,4287],{},"Execute and measure"," — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.",[100,4290,4291,4294],{},[20,4292,4293],{},"Map to other frameworks"," — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.",[16,4296,4297],{},"episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.",[16,4299,4300],{},"Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.",{"title":284,"searchDepth":285,"depth":285,"links":4302},[4303,4307,4308,4316,4317,4318,4319,4320,4321,4322],{"id":3814,"depth":285,"text":3815,"children":4304},[4305,4306],{"id":3829,"depth":291,"text":3830},{"id":3843,"depth":291,"text":3844},{"id":3861,"depth":285,"text":353},{"id":3914,"depth":285,"text":3915,"children":4309},[4310,4311,4312,4313,4314,4315],{"id":3924,"depth":291,"text":3925},{"id":357,"depth":291,"text":358},{"id":411,"depth":291,"text":412},{"id":463,"depth":291,"text":464},{"id":497,"depth":291,"text":498},{"id":543,"depth":291,"text":544},{"id":3994,"depth":285,"text":2529},{"id":4034,"depth":285,"text":4035},{"id":4074,"depth":285,"text":4075},{"id":4113,"depth":285,"text":4114},{"id":4144,"depth":285,"text":4145},{"id":4201,"depth":285,"text":4202},{"id":4246,"depth":285,"text":4247},{"title":4324,"description":4325,"items":4326},"NIST CSF launch guide","Use episki’s free trial to benchmark, prioritize, and communicate fast.",[4327,4328,4329,4330,4331],"Baseline maturity assessment","Control library mapped to CSF categories","Initiative tracker with due dates and owners","Risk register tied to CSF outcomes","Executive report template",{"title":4333,"description":4334},"See your NIST CSF score in episki","Start the trial, import controls, and share a scorecard the same day.",{"title":4336,"items":4337},"NIST CSF frequently asked questions",[4338,4340,4343,4346,4349],{"label":3815,"content":4339},"The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk through five core functions.",{"label":4341,"content":4342},"What is the difference between NIST CSF and ISO 27001?","NIST CSF is a voluntary, outcome-focused maturity framework that helps organizations assess and improve their cybersecurity posture. ISO 27001 is a certifiable standard requiring a formal ISMS. Many organizations use NIST CSF as an internal maturity model alongside ISO 27001 certification for external assurance.",{"label":4344,"content":4345},"Is NIST CSF mandatory?","NIST CSF is voluntary for most private-sector organizations but is mandatory for US federal agencies under Executive Order 13800. Many industries and regulators reference it as a best-practice baseline, and customers increasingly expect suppliers to demonstrate alignment.",{"label":4347,"content":4348},"What are the NIST CSF implementation tiers?","The four tiers describe the maturity of an organization's cybersecurity risk management. Tier 1 (Partial) is ad hoc and reactive. Tier 2 (Risk-Informed) has some risk awareness. Tier 3 (Repeatable) has formal policies. Tier 4 (Adaptive) continuously improves based on lessons learned and threat intelligence.",{"label":4350,"content":4351},"How does NIST CSF relate to other compliance frameworks?","NIST CSF maps to many standards including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations use it as a unifying layer to identify control gaps and overlaps across multiple compliance requirements, reducing duplicate work when pursuing multiple frameworks.",{"headline":4353,"title":4354,"description":4355,"links":4356},"Measure security maturity","Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover","episki translates CSF categories into action plans with real-time scoring and executive reporting.",[4357,4360],{"label":4358,"icon":4359,"to":272},"Start NIST CSF trial","i-lucide-rocket",{"label":4361,"icon":4362,"color":4363,"variant":4364,"to":279,"target":4365},"Book a demo","i-lucide-presentation","neutral","subtle","_blank",{},"NIST CSF","\u002Fframeworks\u002Fnistcsf",{"headline":4370,"title":4370,"description":4371,"items":4372},"NIST CSF toolset","Everything you need to show measurable progress.",[4373,4376,4379],{"title":4374,"description":4375},"Quarterly business review pack","Slides with KPIs, upcoming initiatives, and resource needs.",{"title":4377,"description":4378},"Customer assurance brief","Explains how NIST CSF maps to their requirements.",{"title":4380,"description":4381},"Automation cookbook","Step-by-step instructions for connecting your tooling.",{"title":4383,"description":4384},"NIST CSF Framework Software","Operationalize NIST CSF with live maturity scoring, risk registers, and executive dashboards. Benchmark and improve your cybersecurity posture with episki.",[4386,4389,4392],{"value":4387,"description":4388},"Live maturity score","Automated scoring by category, tier, and business unit.",{"value":4390,"description":4391},"Unified risk register","Link risks to CSF categories with AI-prioritized remediation.",{"value":4393,"description":4394},"Executive-ready","Dashboards turn security work into business milestones.","5.frameworks\u002Fnistcsf","78w8eqRvrZecA6ftBMBjnYVYwBGOHqhkHNWo0Q5A6lM",[4398,4631],{"id":4399,"title":4400,"body":4401,"description":284,"extension":298,"lastUpdated":314,"meta":4620,"navigation":316,"path":4621,"relatedFrameworks":4622,"relatedTerms":4624,"seo":4626,"slug":320,"stem":4629,"term":4406,"__hash__":4630},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":8,"value":4402,"toc":4610},[4403,4407,4410,4414,4417,4455,4458,4478,4482,4485,4508,4512,4515,4559,4563,4566,4580,4584,4601,4603],[11,4404,4406],{"id":4405},"what-is-an-audit-trail","What is an Audit Trail?",[16,4408,4409],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[86,4411,4413],{"id":4412},"what-audit-trails-capture","What audit trails capture",[16,4415,4416],{},"Effective audit trails typically record:",[97,4418,4419,4425,4431,4437,4443,4449],{},[100,4420,4421,4424],{},[20,4422,4423],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[100,4426,4427,4430],{},[20,4428,4429],{},"System events"," — configuration changes, service starts and stops, errors, failures",[100,4432,4433,4436],{},[20,4434,4435],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[100,4438,4439,4442],{},[20,4440,4441],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[100,4444,4445,4448],{},[20,4446,4447],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[100,4450,4451,4454],{},[20,4452,4453],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[16,4456,4457],{},"Each audit trail entry should include:",[97,4459,4460,4463,4466,4469,4472,4475],{},[100,4461,4462],{},"Timestamp (synchronized across systems)",[100,4464,4465],{},"User or system identity",[100,4467,4468],{},"Action performed",[100,4470,4471],{},"Target resource or data",[100,4473,4474],{},"Outcome (success or failure)",[100,4476,4477],{},"Source (IP address, device, or location)",[86,4479,4481],{"id":4480},"audit-trail-requirements-across-frameworks","Audit trail requirements across frameworks",[16,4483,4484],{},"Multiple compliance frameworks require audit trails:",[97,4486,4487,4492,4497,4503],{},[100,4488,4489,4491],{},[20,4490,260],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[100,4493,4494,4496],{},[20,4495,265],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[100,4498,4499,4502],{},[20,4500,4501],{},"HIPAA"," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[100,4504,4505,4507],{},[20,4506,603],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[86,4509,4511],{"id":4510},"implementing-audit-trails","Implementing audit trails",[16,4513,4514],{},"To implement effective audit trails:",[150,4516,4517,4523,4529,4535,4541,4547,4553],{},[100,4518,4519,4522],{},[20,4520,4521],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[100,4524,4525,4528],{},[20,4526,4527],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[100,4530,4531,4534],{},[20,4532,4533],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[100,4536,4537,4540],{},[20,4538,4539],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[100,4542,4543,4546],{},[20,4544,4545],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[100,4548,4549,4552],{},[20,4550,4551],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[100,4554,4555,4558],{},[20,4556,4557],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[86,4560,4562],{"id":4561},"audit-trail-retention","Audit trail retention",[16,4564,4565],{},"Retention requirements vary by framework and jurisdiction:",[97,4567,4568,4571,4574,4577],{},[100,4569,4570],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[100,4572,4573],{},"HIPAA requires documentation retention for 6 years",[100,4575,4576],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[100,4578,4579],{},"SOC 2 audit periods typically require evidence covering the observation period",[86,4581,4583],{"id":4582},"common-pitfalls","Common pitfalls",[97,4585,4586,4589,4592,4595,4598],{},[100,4587,4588],{},"Insufficient logging — missing critical events or systems",[100,4590,4591],{},"Log overload — logging too much without meaningful analysis",[100,4593,4594],{},"No log protection — allowing administrators to modify or delete logs",[100,4596,4597],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[100,4599,4600],{},"No review process — collecting logs but never analyzing them",[86,4602,252],{"id":251},[16,4604,4605,4606,282],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[257,4607,4609],{"href":4608},"\u002Fframeworks","compliance platform",{"title":284,"searchDepth":285,"depth":285,"links":4611},[4612],{"id":4405,"depth":285,"text":4406,"children":4613},[4614,4615,4616,4617,4618,4619],{"id":4412,"depth":291,"text":4413},{"id":4480,"depth":291,"text":4481},{"id":4510,"depth":291,"text":4511},{"id":4561,"depth":291,"text":4562},{"id":4582,"depth":291,"text":4583},{"id":251,"depth":291,"text":252},{},"\u002Fglossary\u002Faudit-trail",[2563,2564,2565,4623],"pci",[4625,2855,319,3139],"evidence-collection",{"title":4627,"description":4628},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","TS31vs1S2ZQUFvm3zNALCcZaNNrpPCRC6ZQBgh0zKdE",{"id":4632,"title":64,"body":4633,"description":284,"extension":298,"lastUpdated":314,"meta":4896,"navigation":316,"path":4897,"relatedFrameworks":4898,"relatedTerms":4900,"seo":4902,"slug":319,"stem":4905,"term":4638,"__hash__":4906},"glossary\u002F8.glossary\u002Fcontinuous-monitoring.md",{"type":8,"value":4634,"toc":4885},[4635,4639,4642,4646,4649,4669,4673,4676,4681,4695,4700,4714,4719,4730,4735,4749,4753,4776,4780,4835,4839,4842,4856,4859,4861,4878,4880],[11,4636,4638],{"id":4637},"what-is-continuous-monitoring","What is Continuous Monitoring?",[16,4640,4641],{},"Continuous monitoring is the practice of maintaining ongoing awareness of an organization's security posture, vulnerabilities, and threats through automated and manual observation of systems, controls, and processes. Rather than assessing security at periodic intervals, continuous monitoring provides real-time or near-real-time visibility into the effectiveness of security controls and the current threat landscape.",[86,4643,4645],{"id":4644},"why-continuous-monitoring-matters","Why continuous monitoring matters",[16,4647,4648],{},"Traditional point-in-time assessments (such as annual audits or quarterly scans) provide snapshots of security posture but miss what happens between assessments. Continuous monitoring fills this gap by:",[97,4650,4651,4654,4657,4660,4663,4666],{},[100,4652,4653],{},"Detecting threats and vulnerabilities as they emerge, not months later",[100,4655,4656],{},"Verifying that controls remain effective on an ongoing basis",[100,4658,4659],{},"Identifying configuration drift and unauthorized changes",[100,4661,4662],{},"Providing evidence of sustained compliance for auditors",[100,4664,4665],{},"Enabling faster response to security incidents",[100,4667,4668],{},"Reducing the risk of surprises during audit cycles",[86,4670,4672],{"id":4671},"what-to-monitor","What to monitor",[16,4674,4675],{},"Continuous monitoring spans multiple domains:",[16,4677,4678],{},[20,4679,4680],{},"Security controls:",[97,4682,4683,4686,4689,4692],{},[100,4684,4685],{},"Are access controls still properly configured?",[100,4687,4688],{},"Are encryption mechanisms active and using current standards?",[100,4690,4691],{},"Are security policies being followed?",[100,4693,4694],{},"Are patches being applied within defined timeframes?",[16,4696,4697],{},[20,4698,4699],{},"Systems and infrastructure:",[97,4701,4702,4705,4708,4711],{},[100,4703,4704],{},"Are systems operating normally?",[100,4706,4707],{},"Are there unauthorized configuration changes?",[100,4709,4710],{},"Are there new vulnerabilities affecting your environment?",[100,4712,4713],{},"Are all endpoints protected with current security agents?",[16,4715,4716],{},[20,4717,4718],{},"User activity:",[97,4720,4721,4724,4727],{},[100,4722,4723],{},"Are there unusual access patterns or privilege escalations?",[100,4725,4726],{},"Are terminated users' accounts being deactivated promptly?",[100,4728,4729],{},"Are there failed authentication attempts indicating brute-force attacks?",[16,4731,4732],{},[20,4733,4734],{},"Compliance status:",[97,4736,4737,4740,4743,4746],{},[100,4738,4739],{},"Are all required controls implemented and operating?",[100,4741,4742],{},"Is evidence being collected on schedule?",[100,4744,4745],{},"Are policy reviews and updates happening as planned?",[100,4747,4748],{},"Are vendor assessments current?",[86,4750,4752],{"id":4751},"continuous-monitoring-in-compliance-frameworks","Continuous monitoring in compliance frameworks",[97,4754,4755,4760,4765,4770],{},[100,4756,4757,4759],{},[20,4758,260],{}," — CC4.1 and CC4.2 require ongoing monitoring of the internal control system and evaluation of deficiencies",[100,4761,4762,4764],{},[20,4763,265],{}," — clause 9 (Performance evaluation) requires monitoring, measurement, analysis, and evaluation of the ISMS",[100,4766,4767,4769],{},[20,4768,4367],{}," — DE.CM (Continuous Monitoring) specifically addresses monitoring information systems and assets for cybersecurity events",[100,4771,4772,4775],{},[20,4773,4774],{},"NIST SP 800-137"," provides detailed guidance on Information Security Continuous Monitoring (ISCM)",[86,4777,4779],{"id":4778},"implementing-continuous-monitoring","Implementing continuous monitoring",[150,4781,4782,4788,4811,4817,4823,4829],{},[100,4783,4784,4787],{},[20,4785,4786],{},"Define monitoring objectives"," — determine what needs to be monitored based on risk assessment and compliance requirements",[100,4789,4790,4793,4794],{},[20,4791,4792],{},"Select monitoring tools"," — deploy appropriate technologies:\n",[97,4795,4796,4799,4802,4805,4808],{},[100,4797,4798],{},"SIEM (Security Information and Event Management) for log aggregation and correlation",[100,4800,4801],{},"EDR (Endpoint Detection and Response) for endpoint monitoring",[100,4803,4804],{},"Vulnerability scanners for continuous vulnerability assessment",[100,4806,4807],{},"Configuration management tools for drift detection",[100,4809,4810],{},"GRC platforms for compliance monitoring",[100,4812,4813,4816],{},[20,4814,4815],{},"Establish baselines"," — define normal operating parameters so deviations can be detected",[100,4818,4819,4822],{},[20,4820,4821],{},"Configure alerts"," — set meaningful alert thresholds to balance detection with alert fatigue",[100,4824,4825,4828],{},[20,4826,4827],{},"Define response procedures"," — establish processes for responding to monitoring alerts",[100,4830,4831,4834],{},[20,4832,4833],{},"Review and improve"," — regularly assess monitoring effectiveness and adjust as needed",[86,4836,4838],{"id":4837},"continuous-monitoring-vs-continuous-compliance","Continuous monitoring vs continuous compliance",[16,4840,4841],{},"While related, these concepts differ:",[97,4843,4844,4850],{},[100,4845,4846,4849],{},[20,4847,4848],{},"Continuous monitoring"," focuses on security — detecting threats, vulnerabilities, and anomalies in real time",[100,4851,4852,4855],{},[20,4853,4854],{},"Continuous compliance"," focuses on maintaining compliance posture — ensuring controls remain effective and evidence stays current",[16,4857,4858],{},"An effective program addresses both. Security monitoring feeds compliance evidence, and compliance monitoring ensures security controls do not degrade.",[86,4860,197],{"id":196},[97,4862,4863,4866,4869,4872,4875],{},[100,4864,4865],{},"Alert fatigue from too many low-priority notifications",[100,4867,4868],{},"Gaps in monitoring coverage across all systems",[100,4870,4871],{},"Insufficient resources to investigate and respond to alerts",[100,4873,4874],{},"Monitoring tools that generate data but lack actionable insights",[100,4876,4877],{},"Difficulty correlating events across disparate systems",[86,4879,252],{"id":251},[16,4881,4882,4883,282],{},"episki provides continuous compliance monitoring by tracking control effectiveness, evidence collection status, and policy review schedules. The platform integrates with security tools to pull monitoring data into your compliance program and alerts you when controls need attention. Learn more on our ",[257,4884,4609],{"href":4608},{"title":284,"searchDepth":285,"depth":285,"links":4886},[4887],{"id":4637,"depth":285,"text":4638,"children":4888},[4889,4890,4891,4892,4893,4894,4895],{"id":4644,"depth":291,"text":4645},{"id":4671,"depth":291,"text":4672},{"id":4751,"depth":291,"text":4752},{"id":4778,"depth":291,"text":4779},{"id":4837,"depth":291,"text":4838},{"id":196,"depth":291,"text":197},{"id":251,"depth":291,"text":252},{},"\u002Fglossary\u002Fcontinuous-monitoring",[4899,2563,2564,313],"cmmc",[4625,320,3139,4901,1410],"remediation",{"title":4903,"description":4904},"Continuous Monitoring for Compliance: Tools & Best Practices","Continuous monitoring tracks security controls in real time to detect threats and verify compliance. Learn how to implement it for SOC 2, ISO 27001, and NIST CSF.","8.glossary\u002Fcontinuous-monitoring","CCbQ5HbLdxXJxRJ7m2br9kgIf7qWrb3m1zfwl9k8p-U",[4908,5454],{"id":4909,"title":4910,"body":4911,"description":284,"extension":298,"lastUpdated":314,"meta":5443,"navigation":316,"path":5444,"relatedFrameworks":5445,"relatedTerms":5446,"seo":5449,"slug":2855,"stem":5452,"term":4916,"__hash__":5453},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":4912,"toc":5429},[4913,4917,4920,4924,4927,4953,4957,4963,4969,4975,4981,4985,4988,4994,5011,5017,5031,5037,5048,5052,5055,5103,5107,5110,5124,5128,5131,5154,5158,5161,5209,5213,5216,5329,5332,5335,5364,5368,5374,5377,5413,5416,5419,5422,5424],[11,4914,4916],{"id":4915},"what-is-access-control","What is Access Control?",[16,4918,4919],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[86,4921,4923],{"id":4922},"core-principles","Core principles",[16,4925,4926],{},"Access control is built on several foundational principles:",[97,4928,4929,4935,4941,4947],{},[100,4930,4931,4934],{},[20,4932,4933],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[100,4936,4937,4940],{},[20,4938,4939],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[100,4942,4943,4946],{},[20,4944,4945],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[100,4948,4949,4952],{},[20,4950,4951],{},"Default deny"," — access is denied by default unless explicitly granted",[86,4954,4956],{"id":4955},"types-of-access-control","Types of access control",[16,4958,4959,4962],{},[20,4960,4961],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[16,4964,4965,4968],{},[20,4966,4967],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[16,4970,4971,4974],{},[20,4972,4973],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[16,4976,4977,4980],{},[20,4978,4979],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[86,4982,4984],{"id":4983},"access-control-components","Access control components",[16,4986,4987],{},"A complete access control program addresses:",[16,4989,4990,4993],{},[20,4991,4992],{},"Authentication"," — verifying the identity of users:",[97,4995,4996,4999,5002,5005,5008],{},[100,4997,4998],{},"Passwords and passphrases",[100,5000,5001],{},"Multi-factor authentication (MFA)",[100,5003,5004],{},"Single sign-on (SSO)",[100,5006,5007],{},"Biometric authentication",[100,5009,5010],{},"Certificate-based authentication",[16,5012,5013,5016],{},[20,5014,5015],{},"Authorization"," — determining what authenticated users can do:",[97,5018,5019,5022,5025,5028],{},[100,5020,5021],{},"Permission assignments",[100,5023,5024],{},"Role definitions",[100,5026,5027],{},"Access control lists",[100,5029,5030],{},"Policy enforcement points",[16,5032,5033,5036],{},[20,5034,5035],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[97,5038,5039,5042,5045],{},[100,5040,5041],{},"Provisioning (granting access when hired or role changes)",[100,5043,5044],{},"Review (periodic access certification)",[100,5046,5047],{},"Deprovisioning (revoking access upon termination or role change)",[86,5049,5051],{"id":5050},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[16,5053,5054],{},"Every major framework requires access control:",[97,5056,5057,5064,5076,5089,5096],{},[100,5058,5059,5063],{},[20,5060,5061],{},[257,5062,260],{"href":259}," — CC6.1 through CC6.8 cover logical and physical access controls",[100,5065,5066,5070,5071,5075],{},[20,5067,5068],{},[257,5069,265],{"href":264}," — ",[257,5072,5074],{"href":5073},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[100,5077,5078,5083,5084,5088],{},[20,5079,5080],{},[257,5081,4501],{"href":5082},"\u002Fframeworks\u002Fhipaa"," — the ",[257,5085,5087],{"href":5086},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[100,5090,5091,5095],{},[20,5092,5093],{},[257,5094,603],{"href":602}," — Requirements 7 and 8 address access restriction and user identification",[100,5097,5098,5102],{},[20,5099,5100],{},[257,5101,4367],{"href":4368}," — PR.AC covers identity management, authentication, and access control",[86,5104,5106],{"id":5105},"access-reviews","Access reviews",[16,5108,5109],{},"Regular access reviews (also called access certifications) are a critical control:",[97,5111,5112,5115,5118,5121],{},[100,5113,5114],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[100,5116,5117],{},"Verify that access aligns with current job responsibilities",[100,5119,5120],{},"Identify and remove excessive or unnecessary access",[100,5122,5123],{},"Document review results and remediation actions",[86,5125,5127],{"id":5126},"common-access-control-weaknesses","Common access control weaknesses",[16,5129,5130],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[97,5132,5133,5136,5139,5142,5145,5148,5151],{},[100,5134,5135],{},"Excessive permissions that accumulate over time (privilege creep)",[100,5137,5138],{},"Shared or generic accounts that prevent individual accountability",[100,5140,5141],{},"Delayed deprovisioning when employees leave or change roles",[100,5143,5144],{},"Lack of MFA on critical systems and remote access paths",[100,5146,5147],{},"Inconsistent access review processes with no documented remediation",[100,5149,5150],{},"Service accounts with standing privileged access and no rotation schedule",[100,5152,5153],{},"Lack of visibility into SaaS application access outside the corporate IdP",[86,5155,5157],{"id":5156},"implementing-access-control-in-practice","Implementing access control in practice",[16,5159,5160],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[150,5162,5163,5169,5175,5181,5187,5193,5203],{},[100,5164,5165,5168],{},[20,5166,5167],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[100,5170,5171,5174],{},[20,5172,5173],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[100,5176,5177,5180],{},[20,5178,5179],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[100,5182,5183,5186],{},[20,5184,5185],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[100,5188,5189,5192],{},[20,5190,5191],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[100,5194,5195,5198,5199,5202],{},[20,5196,5197],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[257,5200,5201],{"href":4621},"audit trail"," that satisfies compliance requirements.",[100,5204,5205,5208],{},[20,5206,5207],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[86,5210,5212],{"id":5211},"access-control-requirements-by-framework","Access control requirements by framework",[16,5214,5215],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[38,5217,5218,5235],{},[41,5219,5220],{},[44,5221,5222,5225,5227,5229,5231,5233],{},[47,5223,5224],{},"Requirement",[47,5226,260],{},[47,5228,265],{},[47,5230,4501],{},[47,5232,603],{},[47,5234,4367],{},[57,5236,5237,5257,5276,5295,5312],{},[44,5238,5239,5242,5245,5248,5251,5254],{},[62,5240,5241],{},"Unique user IDs",[62,5243,5244],{},"CC6.1",[62,5246,5247],{},"A.5.16",[62,5249,5250],{},"§164.312(a)(2)(i)",[62,5252,5253],{},"Req 8.2.1",[62,5255,5256],{},"PR.AC-1",[44,5258,5259,5262,5264,5267,5270,5273],{},[62,5260,5261],{},"MFA",[62,5263,5244],{},[62,5265,5266],{},"A.8.5",[62,5268,5269],{},"Addressable",[62,5271,5272],{},"Req 8.4",[62,5274,5275],{},"PR.AC-7",[44,5277,5278,5280,5283,5286,5289,5292],{},[62,5279,5106],{},[62,5281,5282],{},"CC6.2",[62,5284,5285],{},"A.5.18",[62,5287,5288],{},"§164.312(a)(1)",[62,5290,5291],{},"Req 7.2",[62,5293,5294],{},"PR.AC-4",[44,5296,5297,5299,5302,5305,5307,5310],{},[62,5298,4933],{},[62,5300,5301],{},"CC6.3",[62,5303,5304],{},"A.5.15",[62,5306,5288],{},[62,5308,5309],{},"Req 7.1",[62,5311,5294],{},[44,5313,5314,5317,5319,5321,5324,5327],{},[62,5315,5316],{},"Deprovisioning",[62,5318,5282],{},[62,5320,5285],{},[62,5322,5323],{},"§164.312(a)(2)(ii)",[62,5325,5326],{},"Req 8.2.6",[62,5328,5256],{},[16,5330,5331],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[16,5333,5334],{},"A few notes on framework-specific nuances:",[97,5336,5337,5342,5350,5357],{},[100,5338,5339,5341],{},[20,5340,4501],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[100,5343,5344,5349],{},[20,5345,5346,5348],{},[257,5347,603],{"href":602}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[100,5351,5352,5356],{},[20,5353,5354],{},[257,5355,260],{"href":259}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[100,5358,5359,5363],{},[20,5360,5361],{},[257,5362,4367],{"href":4368}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[86,5365,5367],{"id":5366},"zero-trust-and-access-control","Zero trust and access control",[16,5369,5370,5371,282],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[20,5372,5373],{},"never trust, always verify",[16,5375,5376],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[97,5378,5379,5385,5391,5401,5407],{},[100,5380,5381,5384],{},[20,5382,5383],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[100,5386,5387,5390],{},[20,5388,5389],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[100,5392,5393,5396,5397,5400],{},[20,5394,5395],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[257,5398,2856],{"href":5399},"\u002Fglossary\u002Fencryption",") is evaluated before access is granted.",[100,5402,5403,5406],{},[20,5404,5405],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[100,5408,5409,5412],{},[20,5410,5411],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[16,5414,5415],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[16,5417,5418],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[16,5420,5421],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[86,5423,252],{"id":251},[16,5425,5426,5427,282],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[257,5428,4609],{"href":4608},{"title":284,"searchDepth":285,"depth":285,"links":5430},[5431],{"id":4915,"depth":285,"text":4916,"children":5432},[5433,5434,5435,5436,5437,5438,5439,5440,5441,5442],{"id":4922,"depth":291,"text":4923},{"id":4955,"depth":291,"text":4956},{"id":4983,"depth":291,"text":4984},{"id":5050,"depth":291,"text":5051},{"id":5105,"depth":291,"text":5106},{"id":5126,"depth":291,"text":5127},{"id":5156,"depth":291,"text":5157},{"id":5211,"depth":291,"text":5212},{"id":5366,"depth":291,"text":5367},{"id":251,"depth":291,"text":252},{},"\u002Fglossary\u002Faccess-control",[4899,2563,2564,2565,4623,313],[5447,320,2856,5448],"minimum-necessary-rule","user-entity-controls",{"title":5450,"description":5451},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":5455,"title":5456,"body":5457,"description":284,"extension":298,"lastUpdated":314,"meta":5679,"navigation":316,"path":5680,"relatedFrameworks":5681,"relatedTerms":5682,"seo":5685,"slug":3137,"stem":5688,"term":5462,"__hash__":5689},"glossary\u002F8.glossary\u002Fbusiness-continuity.md","Business Continuity",{"type":8,"value":5458,"toc":5669},[5459,5463,5466,5470,5473,5487,5490,5494,5500,5511,5517,5534,5540,5557,5563,5580,5584,5607,5611,5614,5640,5643,5645,5662,5664],[11,5460,5462],{"id":5461},"what-is-business-continuity","What is Business Continuity?",[16,5464,5465],{},"Business continuity is the capability of an organization to continue delivering products and services at acceptable predefined levels following a disruptive incident. A business continuity plan (BCP) documents the procedures and resources needed to maintain operations during and after events such as natural disasters, cyberattacks, pandemics, infrastructure failures, or supply chain disruptions.",[86,5467,5469],{"id":5468},"business-continuity-vs-disaster-recovery","Business continuity vs disaster recovery",[16,5471,5472],{},"While often discussed together, business continuity and disaster recovery serve different purposes:",[97,5474,5475,5481],{},[100,5476,5477,5480],{},[20,5478,5479],{},"Business continuity"," focuses on maintaining overall business operations — it encompasses people, processes, facilities, and technology",[100,5482,5483,5486],{},[20,5484,5485],{},"Disaster recovery"," focuses specifically on restoring IT systems and data after a disruption",[16,5488,5489],{},"Disaster recovery is a subset of business continuity. A comprehensive business continuity program includes disaster recovery as one of its components.",[86,5491,5493],{"id":5492},"components-of-a-business-continuity-plan","Components of a business continuity plan",[16,5495,5496,5499],{},[20,5497,5498],{},"Business Impact Analysis (BIA)"," — identifies critical business functions, the impact of disrupting them, and the maximum tolerable downtime:",[97,5501,5502,5505,5508],{},[100,5503,5504],{},"Recovery Time Objective (RTO) — the maximum acceptable time to restore a function",[100,5506,5507],{},"Recovery Point Objective (RPO) — the maximum acceptable data loss measured in time",[100,5509,5510],{},"Maximum Tolerable Period of Disruption (MTPD) — the longest the business can survive without the function",[16,5512,5513,5516],{},[20,5514,5515],{},"Risk assessment"," — identifies threats that could disrupt operations and evaluates their likelihood and impact:",[97,5518,5519,5522,5525,5528,5531],{},[100,5520,5521],{},"Natural disasters (earthquakes, floods, severe weather)",[100,5523,5524],{},"Technology failures (hardware failure, software bugs, network outages)",[100,5526,5527],{},"Cyber incidents (ransomware, DDoS attacks, data breaches)",[100,5529,5530],{},"Human factors (key personnel loss, labor disputes)",[100,5532,5533],{},"Supply chain disruptions (vendor failures, logistics breakdowns)",[16,5535,5536,5539],{},[20,5537,5538],{},"Recovery strategies"," — defines how critical functions will be maintained or restored:",[97,5541,5542,5545,5548,5551,5554],{},[100,5543,5544],{},"Alternative work locations or remote work capabilities",[100,5546,5547],{},"Redundant systems and infrastructure",[100,5549,5550],{},"Manual workaround procedures",[100,5552,5553],{},"Third-party recovery services",[100,5555,5556],{},"Communication plans for employees, customers, and stakeholders",[16,5558,5559,5562],{},[20,5560,5561],{},"Plan documentation"," — the written BCP includes:",[97,5564,5565,5568,5571,5574,5577],{},[100,5566,5567],{},"Roles and responsibilities",[100,5569,5570],{},"Contact information for key personnel and vendors",[100,5572,5573],{},"Step-by-step recovery procedures for each critical function",[100,5575,5576],{},"Resource requirements",[100,5578,5579],{},"Communication templates",[86,5581,5583],{"id":5582},"business-continuity-in-compliance-frameworks","Business continuity in compliance frameworks",[97,5585,5586,5591,5596,5601],{},[100,5587,5588,5590],{},[20,5589,265],{}," — control A.5.29 addresses information security during disruption, and A.5.30 addresses ICT readiness for business continuity",[100,5592,5593,5595],{},[20,5594,4367],{}," — the Recover function (RC) addresses recovery planning, improvements, and communications",[100,5597,5598,5600],{},[20,5599,260],{}," — the Availability criterion addresses system uptime and recovery capabilities",[100,5602,5603,5606],{},[20,5604,5605],{},"ISO 22301"," — the dedicated international standard for business continuity management systems",[86,5608,5610],{"id":5609},"testing-the-bcp","Testing the BCP",[16,5612,5613],{},"A business continuity plan that has not been tested is unreliable. Testing approaches include:",[97,5615,5616,5622,5628,5634],{},[100,5617,5618,5621],{},[20,5619,5620],{},"Tabletop exercises"," — team discussions walking through scenarios",[100,5623,5624,5627],{},[20,5625,5626],{},"Structured walkthroughs"," — step-by-step review of procedures with assigned teams",[100,5629,5630,5633],{},[20,5631,5632],{},"Simulation tests"," — practicing response to a simulated disruption",[100,5635,5636,5639],{},[20,5637,5638],{},"Full interruption tests"," — actually activating recovery procedures (highest assurance but most disruptive)",[16,5641,5642],{},"Testing should occur at least annually and after significant changes to the business or infrastructure.",[86,5644,4583],{"id":4582},[97,5646,5647,5650,5653,5656,5659],{},[100,5648,5649],{},"BCP exists on paper but is never tested or updated",[100,5651,5652],{},"Critical dependencies on single points of failure are not identified",[100,5654,5655],{},"Communication plans do not account for the disruption itself (e.g., email is down)",[100,5657,5658],{},"Key personnel are not trained on their BCP responsibilities",[100,5660,5661],{},"The plan does not keep pace with business changes",[86,5663,252],{"id":251},[16,5665,5666,5667,282],{},"episki helps organizations document their business continuity plans, schedule and track testing exercises, and maintain evidence of BCP activities for auditors. The platform links BCP activities to ISO 27001 and NIST CSF requirements. Learn more on our ",[257,5668,4609],{"href":4608},{"title":284,"searchDepth":285,"depth":285,"links":5670},[5671],{"id":5461,"depth":285,"text":5462,"children":5672},[5673,5674,5675,5676,5677,5678],{"id":5468,"depth":291,"text":5469},{"id":5492,"depth":291,"text":5493},{"id":5582,"depth":291,"text":5583},{"id":5609,"depth":291,"text":5610},{"id":4582,"depth":291,"text":4583},{"id":251,"depth":291,"text":252},{},"\u002Fglossary\u002Fbusiness-continuity",[2564,313],[3138,3139,5683,5684],"risk-register","risk-treatment-plan",{"title":5686,"description":5687},"What is Business Continuity? Definition & Compliance Guide","Business continuity planning ensures an organization can maintain essential operations during and after a disruptive event. Learn the key components and frameworks.","8.glossary\u002Fbusiness-continuity","yw7dcdzLzw88-GyDfBkiBkfOJQyJFOUza-P9l6UDW_Y",[5691,5888],{"id":333,"title":334,"body":5692,"description":629,"extension":298,"faq":630,"frameworkSlug":313,"lastUpdated":314,"meta":5884,"navigation":316,"path":632,"relatedTerms":5885,"relatedTopics":5886,"seo":5887,"stem":641,"__hash__":642},{"type":8,"value":5693,"toc":5860},[5694,5696,5698,5700,5704,5706,5708,5710,5714,5718,5722,5726,5730,5734,5736,5738,5740,5742,5744,5748,5752,5756,5760,5764,5768,5770,5772,5774,5776,5778,5782,5786,5790,5792,5794,5796,5798,5800,5804,5808,5812,5816,5820,5822,5824,5826,5828,5830,5834,5838,5842,5844,5846,5848,5850],[11,5695,340],{"id":339},[16,5697,343],{},[16,5699,346],{},[16,5701,349,5702,354],{},[257,5703,353],{"href":352},[11,5705,358],{"id":357},[16,5707,361],{},[86,5709,365],{"id":364},[16,5711,5712,371],{},[20,5713,370],{},[16,5715,5716,377],{},[20,5717,376],{},[16,5719,5720,383],{},[20,5721,382],{},[16,5723,5724,389],{},[20,5725,388],{},[16,5727,5728,395],{},[20,5729,394],{},[16,5731,5732,401],{},[20,5733,400],{},[86,5735,405],{"id":404},[16,5737,408],{},[11,5739,412],{"id":411},[16,5741,415],{},[86,5743,365],{"id":418},[16,5745,5746,424],{},[20,5747,423],{},[16,5749,5750,430],{},[20,5751,429],{},[16,5753,5754,436],{},[20,5755,435],{},[16,5757,5758,442],{},[20,5759,441],{},[16,5761,5762,448],{},[20,5763,447],{},[16,5765,5766,454],{},[20,5767,453],{},[86,5769,405],{"id":457},[16,5771,460],{},[11,5773,464],{"id":463},[16,5775,467],{},[86,5777,365],{"id":470},[16,5779,5780,476],{},[20,5781,475],{},[16,5783,5784,482],{},[20,5785,481],{},[16,5787,5788,488],{},[20,5789,487],{},[86,5791,405],{"id":491},[16,5793,494],{},[11,5795,498],{"id":497},[16,5797,501],{},[86,5799,365],{"id":504},[16,5801,5802,510],{},[20,5803,509],{},[16,5805,5806,516],{},[20,5807,515],{},[16,5809,5810,522],{},[20,5811,521],{},[16,5813,5814,528],{},[20,5815,527],{},[16,5817,5818,534],{},[20,5819,533],{},[86,5821,405],{"id":537},[16,5823,540],{},[11,5825,544],{"id":543},[16,5827,547],{},[86,5829,365],{"id":550},[16,5831,5832,556],{},[20,5833,555],{},[16,5835,5836,562],{},[20,5837,561],{},[16,5839,5840,568],{},[20,5841,567],{},[86,5843,405],{"id":571},[16,5845,574],{},[11,5847,578],{"id":577},[16,5849,581],{},[16,5851,584,5852,589,5854,594,5856,599,5858,604],{},[257,5853,588],{"href":587},[257,5855,593],{"href":592},[257,5857,598],{"href":597},[257,5859,603],{"href":602},{"title":284,"searchDepth":285,"depth":285,"links":5861},[5862,5863,5867,5871,5875,5879,5883],{"id":339,"depth":285,"text":340},{"id":357,"depth":285,"text":358,"children":5864},[5865,5866],{"id":364,"depth":291,"text":365},{"id":404,"depth":291,"text":405},{"id":411,"depth":285,"text":412,"children":5868},[5869,5870],{"id":418,"depth":291,"text":365},{"id":457,"depth":291,"text":405},{"id":463,"depth":285,"text":464,"children":5872},[5873,5874],{"id":470,"depth":291,"text":365},{"id":491,"depth":291,"text":405},{"id":497,"depth":285,"text":498,"children":5876},[5877,5878],{"id":504,"depth":291,"text":365},{"id":537,"depth":291,"text":405},{"id":543,"depth":285,"text":544,"children":5880},[5881,5882],{"id":550,"depth":291,"text":365},{"id":571,"depth":291,"text":405},{"id":577,"depth":285,"text":578},{},[634],[636,326,637],{"title":639,"description":640},{"id":644,"title":645,"body":5889,"description":1078,"extension":298,"faq":6185,"frameworkSlug":313,"lastUpdated":314,"meta":6191,"navigation":316,"path":592,"relatedTerms":6192,"relatedTopics":6193,"seo":6194,"stem":1100,"__hash__":1101},{"type":8,"value":5890,"toc":6159},[5891,5893,5895,5897,5907,5909,5911,5913,5915,5917,5919,5929,5931,5933,5951,5953,5955,5957,5959,5961,6015,6017,6019,6021,6023,6027,6033,6037,6041,6045,6047,6049,6051,6053,6055,6057,6059,6077,6079,6081,6095,6097,6099,6101,6103,6105,6107,6109,6113,6115,6117,6119,6121,6123,6127,6129,6131,6133,6135,6157],[11,5892,651],{"id":650},[16,5894,654],{},[16,5896,657],{},[97,5898,5899,5903],{},[100,5900,5901,665],{},[20,5902,664],{},[100,5904,5905,671],{},[20,5906,670],{},[16,5908,674],{},[11,5910,678],{"id":677},[16,5912,681],{},[86,5914,685],{"id":684},[16,5916,688],{},[16,5918,691],{},[97,5920,5921,5923,5925,5927],{},[100,5922,696],{},[100,5924,699],{},[100,5926,702],{},[100,5928,705],{},[86,5930,709],{"id":708},[16,5932,712],{},[97,5934,5935,5939,5943,5947],{},[100,5936,5937,720],{},[20,5938,719],{},[100,5940,5941,726],{},[20,5942,725],{},[100,5944,5945,732],{},[20,5946,731],{},[100,5948,5949,738],{},[20,5950,737],{},[16,5952,741],{},[86,5954,745],{"id":744},[16,5956,748],{},[86,5958,752],{"id":751},[16,5960,755],{},[38,5962,5963,5973],{},[41,5964,5965],{},[44,5966,5967,5969,5971],{},[47,5968,764],{},[47,5970,767],{},[47,5972,770],{},[57,5974,5975,5983,5991,5999,6007],{},[44,5976,5977,5979,5981],{},[62,5978,777],{},[62,5980,780],{},[62,5982,731],{},[44,5984,5985,5987,5989],{},[62,5986,787],{},[62,5988,790],{},[62,5990,725],{},[44,5992,5993,5995,5997],{},[62,5994,797],{},[62,5996,800],{},[62,5998,719],{},[44,6000,6001,6003,6005],{},[62,6002,807],{},[62,6004,810],{},[62,6006,725],{},[44,6008,6009,6011,6013],{},[62,6010,817],{},[62,6012,820],{},[62,6014,725],{},[16,6016,825],{},[11,6018,829],{"id":828},[16,6020,832],{},[86,6022,836],{"id":835},[16,6024,6025,842],{},[20,6026,841],{},[16,6028,6029,848,6031,852],{},[20,6030,847],{},[257,6032,851],{"href":602},[16,6034,6035,858],{},[20,6036,857],{},[16,6038,6039,864],{},[20,6040,863],{},[16,6042,6043,870],{},[20,6044,869],{},[86,6046,874],{"id":873},[16,6048,877],{},[16,6050,880],{},[11,6052,884],{"id":883},[16,6054,887],{},[86,6056,891],{"id":890},[16,6058,894],{},[150,6060,6061,6065,6069,6073],{},[100,6062,6063,902],{},[20,6064,901],{},[100,6066,6067,908],{},[20,6068,907],{},[100,6070,6071,914],{},[20,6072,913],{},[100,6074,6075,920],{},[20,6076,919],{},[86,6078,924],{"id":923},[16,6080,927],{},[97,6082,6083,6085,6087,6089,6091,6093],{},[100,6084,932],{},[100,6086,935],{},[100,6088,938],{},[100,6090,941],{},[100,6092,944],{},[100,6094,947],{},[86,6096,951],{"id":950},[16,6098,954],{},[11,6100,958],{"id":957},[16,6102,961],{},[86,6104,965],{"id":964},[16,6106,968],{},[86,6108,972],{"id":971},[16,6110,975,6111,979],{},[257,6112,978],{"href":597},[86,6114,983],{"id":982},[16,6116,986],{},[86,6118,990],{"id":989},[16,6120,993],{},[11,6122,997],{"id":996},[16,6124,1000,6125,1003],{},[257,6126,588],{"href":587},[16,6128,1006],{},[16,6130,1009],{},[11,6132,1013],{"id":1012},[16,6134,1016],{},[97,6136,6137,6141,6145,6149,6153],{},[100,6138,6139,1024],{},[20,6140,1023],{},[100,6142,6143,1030],{},[20,6144,1029],{},[100,6146,6147,1036],{},[20,6148,1035],{},[100,6150,6151,1042],{},[20,6152,1041],{},[100,6154,6155,1048],{},[20,6156,1047],{},[16,6158,1051],{},{"title":284,"searchDepth":285,"depth":285,"links":6160},[6161,6162,6168,6172,6177,6183,6184],{"id":650,"depth":285,"text":651},{"id":677,"depth":285,"text":678,"children":6163},[6164,6165,6166,6167],{"id":684,"depth":291,"text":685},{"id":708,"depth":291,"text":709},{"id":744,"depth":291,"text":745},{"id":751,"depth":291,"text":752},{"id":828,"depth":285,"text":829,"children":6169},[6170,6171],{"id":835,"depth":291,"text":836},{"id":873,"depth":291,"text":874},{"id":883,"depth":285,"text":884,"children":6173},[6174,6175,6176],{"id":890,"depth":291,"text":891},{"id":923,"depth":291,"text":924},{"id":950,"depth":291,"text":951},{"id":957,"depth":285,"text":958,"children":6178},[6179,6180,6181,6182],{"id":964,"depth":291,"text":965},{"id":971,"depth":291,"text":972},{"id":982,"depth":291,"text":983},{"id":989,"depth":291,"text":990},{"id":996,"depth":285,"text":997},{"id":1012,"depth":285,"text":1013},{"items":6186},[6187,6188,6189,6190],{"label":651,"content":1082},{"label":1084,"content":1085},{"label":1087,"content":1088},{"label":1090,"content":1091},{},[634],[1095,636,1096],{"title":1098,"description":1099},{"id":3786,"title":3787,"advantages":6196,"body":6203,"checklist":6545,"cta":6547,"description":284,"extension":298,"faq":6548,"hero":6555,"meta":6559,"name":4367,"navigation":316,"path":4368,"resources":6560,"seo":6565,"slug":313,"stats":6566,"stem":4395,"__hash__":4396},[6197,6199,6201],{"title":3790,"description":3791,"bullets":6198},[3793,3794,3795],{"title":3797,"description":3798,"bullets":6200},[3800,3801,3802],{"title":3804,"description":3805,"bullets":6202},[3807,3808,3809],{"type":8,"value":6204,"toc":6523},[6205,6207,6211,6213,6215,6219,6221,6223,6225,6231,6233,6235,6237,6263,6267,6269,6271,6273,6275,6281,6283,6289,6291,6297,6299,6305,6307,6313,6315,6321,6323,6325,6329,6347,6351,6353,6357,6359,6369,6371,6377,6379,6385,6397,6401,6403,6409,6413,6419,6421,6423,6455,6457,6459,6461,6481,6483,6485,6487,6489,6519,6521],[11,6206,3815],{"id":3814},[16,6208,3818,6209,3823],{},[257,6210,3822],{"href":3821},[16,6212,3826],{},[86,6214,3830],{"id":3829},[16,6216,3833,6217,3837],{},[20,6218,3836],{},[16,6220,3840],{},[86,6222,3844],{"id":3843},[16,6224,3847],{},[16,6226,3850,6227,3854,6229,3858],{},[20,6228,3853],{},[20,6230,3857],{},[11,6232,353],{"id":3861},[16,6234,3864],{},[16,6236,3867],{},[97,6238,6239,6243,6247,6251,6259],{},[100,6240,6241,3875],{},[20,6242,3874],{},[100,6244,6245,3881],{},[20,6246,3880],{},[100,6248,6249,3887],{},[20,6250,3886],{},[100,6252,6253,3892,6255,3896,6257,3899],{},[20,6254,3586],{},[257,6256,3895],{"href":3821},[257,6258,260],{"href":259},[100,6260,6261,3905],{},[20,6262,3904],{},[16,6264,3908,6265,3911],{},[257,6266,353],{"href":352},[11,6268,3915],{"id":3914},[16,6270,3918],{},[16,6272,3921],{},[86,6274,3925],{"id":3924},[16,6276,18,6277,3930,6279,282],{},[20,6278,3857],{},[257,6280,3933],{"href":1408},[86,6282,358],{"id":357},[16,6284,18,6285,3941,6287,282],{},[20,6286,3940],{},[257,6288,3944],{"href":1706},[86,6290,412],{"id":411},[16,6292,18,6293,3952,6295,282],{},[20,6294,3951],{},[257,6296,3955],{"href":2853},[86,6298,464],{"id":463},[16,6300,18,6301,3963,6303,282],{},[20,6302,3962],{},[257,6304,3966],{"href":317},[86,6306,498],{"id":497},[16,6308,18,6309,3974,6311,282],{},[20,6310,3973],{},[257,6312,3977],{"href":3413},[86,6314,544],{"id":543},[16,6316,18,6317,3985,6319,282],{},[20,6318,3984],{},[257,6320,3988],{"href":3135},[16,6322,3991],{},[11,6324,2529],{"id":3994},[16,6326,3997,6327,4000],{},[20,6328,588],{},[97,6330,6331,6335,6339,6343],{},[100,6332,6333,4008],{},[20,6334,4007],{},[100,6336,6337,4014],{},[20,6338,4013],{},[100,6340,6341,4020],{},[20,6342,4019],{},[100,6344,6345,4026],{},[20,6346,4025],{},[16,6348,4029,6349,3911],{},[257,6350,2529],{"href":587},[11,6352,4035],{"id":4034},[16,6354,4038,6355,4041],{},[20,6356,2005],{},[16,6358,4044],{},[97,6360,6361,6365],{},[100,6362,4038,6363,4052],{},[20,6364,4051],{},[100,6366,4038,6367,4058],{},[20,6368,4057],{},[16,6370,4061],{},[16,6372,4064,6373,4069,6375,282],{},[257,6374,4068],{"href":4067},[257,6376,4035],{"href":592},[11,6378,4075],{"id":4074},[16,6380,4078,6381,4082,6383,4086],{},[20,6382,4081],{},[20,6384,4085],{},[97,6386,6387,6393],{},[100,6388,6389,4094,6391,4098],{},[20,6390,4093],{},[20,6392,4097],{},[100,6394,6395,4103],{},[20,6396,3853],{},[16,6398,4106,6399,4110],{},[20,6400,4109],{},[11,6402,4114],{"id":4113},[16,6404,4117,6405,261,6407,4122],{},[257,6406,260],{"href":259},[257,6408,265],{"href":264},[16,6410,4125,6411,4130],{},[257,6412,4129],{"href":4128},[16,6414,4133,6415,4136,6417,4141],{},[257,6416,4114],{"href":597},[257,6418,4140],{"href":4139},[11,6420,4145],{"id":4144},[16,6422,4148],{},[97,6424,6425,6429,6435,6439,6443,6447,6451],{},[100,6426,6427,4156],{},[20,6428,4155],{},[100,6430,6431,4162,6433,282],{},[20,6432,4161],{},[257,6434,4165],{"href":4128},[100,6436,6437,4171],{},[20,6438,4170],{},[100,6440,6441,4177],{},[20,6442,4176],{},[100,6444,6445,4183],{},[20,6446,4182],{},[100,6448,6449,4189],{},[20,6450,4188],{},[100,6452,6453,4195],{},[20,6454,4194],{},[16,6456,4198],{},[11,6458,4202],{"id":4201},[16,6460,4205],{},[97,6462,6463,6469,6475],{},[100,6464,6465,4213,6467,4217],{},[20,6466,4212],{},[20,6468,4216],{},[100,6470,6471,4223,6473,4227],{},[20,6472,4222],{},[20,6474,4226],{},[100,6476,6477,4233,6479,4237],{},[20,6478,4232],{},[20,6480,4236],{},[16,6482,4240],{},[16,6484,4243],{},[11,6486,4247],{"id":4246},[16,6488,4250],{},[150,6490,6491,6495,6499,6503,6507,6511,6515],{},[100,6492,6493,4258],{},[20,6494,4257],{},[100,6496,6497,4264],{},[20,6498,4263],{},[100,6500,6501,4270],{},[20,6502,4269],{},[100,6504,6505,4276],{},[20,6506,4275],{},[100,6508,6509,4282],{},[20,6510,4281],{},[100,6512,6513,4288],{},[20,6514,4287],{},[100,6516,6517,4294],{},[20,6518,4293],{},[16,6520,4297],{},[16,6522,4300],{},{"title":284,"searchDepth":285,"depth":285,"links":6524},[6525,6529,6530,6538,6539,6540,6541,6542,6543,6544],{"id":3814,"depth":285,"text":3815,"children":6526},[6527,6528],{"id":3829,"depth":291,"text":3830},{"id":3843,"depth":291,"text":3844},{"id":3861,"depth":285,"text":353},{"id":3914,"depth":285,"text":3915,"children":6531},[6532,6533,6534,6535,6536,6537],{"id":3924,"depth":291,"text":3925},{"id":357,"depth":291,"text":358},{"id":411,"depth":291,"text":412},{"id":463,"depth":291,"text":464},{"id":497,"depth":291,"text":498},{"id":543,"depth":291,"text":544},{"id":3994,"depth":285,"text":2529},{"id":4034,"depth":285,"text":4035},{"id":4074,"depth":285,"text":4075},{"id":4113,"depth":285,"text":4114},{"id":4144,"depth":285,"text":4145},{"id":4201,"depth":285,"text":4202},{"id":4246,"depth":285,"text":4247},{"title":4324,"description":4325,"items":6546},[4327,4328,4329,4330,4331],{"title":4333,"description":4334},{"title":4336,"items":6549},[6550,6551,6552,6553,6554],{"label":3815,"content":4339},{"label":4341,"content":4342},{"label":4344,"content":4345},{"label":4347,"content":4348},{"label":4350,"content":4351},{"headline":4353,"title":4354,"description":4355,"links":6556},[6557,6558],{"label":4358,"icon":4359,"to":272},{"label":4361,"icon":4362,"color":4363,"variant":4364,"to":279,"target":4365},{},{"headline":4370,"title":4370,"description":4371,"items":6561},[6562,6563,6564],{"title":4374,"description":4375},{"title":4377,"description":4378},{"title":4380,"description":4381},{"title":4383,"description":4384},[6567,6568,6569],{"value":4387,"description":4388},{"value":4390,"description":4391},{"value":4393,"description":4394},{"id":6571,"title":6572,"body":6573,"comparison":6664,"competitorA":6709,"competitorB":6710,"cta":6711,"description":284,"extension":298,"faq":630,"hero":6714,"meta":6723,"navigation":316,"path":6724,"seo":6725,"slug":6728,"slugA":6729,"slugB":6730,"stem":6731,"verdict":6732,"__hash__":6736},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":8,"value":6574,"toc":6654},[6575,6579,6582,6586,6589,6595,6598,6602,6605,6608,6611,6615,6618,6621,6625,6628,6631,6635,6638,6641,6645,6648,6651],[11,6576,6578],{"id":6577},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[16,6580,6581],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[86,6583,6585],{"id":6584},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[16,6587,6588],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[16,6590,6591,6594],{},[20,6592,6593],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[16,6596,6597],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[86,6599,6601],{"id":6600},"the-dashboard-question","The dashboard question",[16,6603,6604],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[16,6606,6607],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[16,6609,6610],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[86,6612,6614],{"id":6613},"integration-depth","Integration depth",[16,6616,6617],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[16,6619,6620],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[86,6622,6624],{"id":6623},"pricing-opacity","Pricing opacity",[16,6626,6627],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[16,6629,6630],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[86,6632,6634],{"id":6633},"where-both-platforms-struggle","Where both platforms struggle",[16,6636,6637],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[16,6639,6640],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[86,6642,6644],{"id":6643},"the-case-for-a-different-approach","The case for a different approach",[16,6646,6647],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[16,6649,6650],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[16,6652,6653],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":284,"searchDepth":285,"depth":285,"links":6655},[6656],{"id":6577,"depth":285,"text":6578,"children":6657},[6658,6659,6660,6661,6662,6663],{"id":6584,"depth":291,"text":6585},{"id":6600,"depth":291,"text":6601},{"id":6613,"depth":291,"text":6614},{"id":6623,"depth":291,"text":6624},{"id":6633,"depth":291,"text":6634},{"id":6643,"depth":291,"text":6644},[6665,6670,6674,6679,6684,6689,6694,6699,6704],{"feature":6666,"competitorA":6667,"competitorB":6668,"episki":6669},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":6671,"competitorA":6672,"competitorB":6672,"episki":6673},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":6675,"competitorA":6676,"competitorB":6677,"episki":6678},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":6680,"competitorA":6681,"competitorB":6682,"episki":6683},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":6685,"competitorA":6686,"competitorB":6687,"episki":6688},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":6690,"competitorA":6691,"competitorB":6692,"episki":6693},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":6695,"competitorA":6696,"competitorB":6697,"episki":6698},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":6700,"competitorA":6701,"competitorB":6702,"episki":6703},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":6705,"competitorA":6706,"competitorB":6707,"episki":6708},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":6712,"description":6713},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":6715,"title":6716,"description":6717,"links":6718},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[6719,6721],{"label":6720,"icon":4359,"to":272},"Try episki free",{"label":4361,"icon":6722,"color":4363,"variant":4364,"to":279,"target":4365},"i-lucide-message-circle",{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":6726,"description":6727},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":6733,"chooseB":6734,"chooseEpiski":6735},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":6738,"title":6709,"advantages":6739,"body":6761,"comparison":6812,"competitor":6709,"cta":6839,"description":284,"extension":298,"hero":6842,"meta":6851,"navigation":316,"path":6852,"seo":6853,"slug":6729,"stem":6856,"__hash__":6857},"compare\u002F7.compare\u002Fdrata.md",[6740,6747,6754],{"title":6741,"description":6742,"bullets":6743},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[6744,6745,6746],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":6748,"description":6749,"bullets":6750},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[6751,6752,6753],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":6755,"description":6756,"bullets":6757},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[6758,6759,6760],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":8,"value":6762,"toc":6807},[6763,6767,6770,6773,6793,6797,6800,6804],[11,6764,6766],{"id":6765},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[16,6768,6769],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[16,6771,6772],{},"Some teams look for alternatives when they need:",[97,6774,6775,6781,6787],{},[100,6776,6777,6780],{},[20,6778,6779],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[100,6782,6783,6786],{},[20,6784,6785],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[100,6788,6789,6792],{},[20,6790,6791],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[11,6794,6796],{"id":6795},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[16,6798,6799],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[11,6801,6803],{"id":6802},"when-episki-shines","When episki shines",[16,6805,6806],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":284,"searchDepth":285,"depth":285,"links":6808},[6809,6810,6811],{"id":6765,"depth":285,"text":6766},{"id":6795,"depth":285,"text":6796},{"id":6802,"depth":285,"text":6803},[6813,6815,6816,6820,6824,6827,6831,6835],{"feature":6666,"episki":6669,"competitor":6814},"Tiered pricing based on framework count and company size",{"feature":6671,"episki":6673,"competitor":6672},{"feature":6817,"episki":6818,"competitor":6819},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":6821,"episki":6822,"competitor":6823},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":6825,"episki":6693,"competitor":6826},"AI assistance","AI-powered compliance automation",{"feature":6828,"episki":6829,"competitor":6830},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":6832,"episki":6833,"competitor":6834},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":6836,"episki":6837,"competitor":6838},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":6840,"description":6841},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":6843,"title":6844,"description":6845,"links":6846},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[6847,6849],{"label":6848,"icon":4359,"to":272},"Start free trial",{"label":6850,"icon":6722,"color":4363,"variant":4364,"to":279,"target":4365},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":6854,"description":6855},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":6859,"title":6860,"api":630,"authors":6861,"body":6867,"category":7044,"date":7045,"description":7046,"extension":298,"features":630,"fixes":630,"highlight":630,"image":7047,"improvements":630,"meta":7049,"navigation":316,"path":7051,"seo":7052,"stem":7053,"__hash__":7054},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[6862],{"name":6863,"to":6864,"avatar":6865},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":6866},"\u002Fimages\u002Fjustinleapline.png",{"type":8,"value":6868,"toc":7036},[6869,6875,6878,6881,6884,6887,6890,6892,6896,6906,6909,6912,6915,6917,6921,6924,6927,6930,6933,6935,6939,6947,6950,6953,6956,6958,6962,6965,6968,6971,6973,6977,6980,6983,6986,6989,6991,6995,6998,7001,7004,7006,7011,7023,7029,7031],[6870,6871,6872],"blockquote",{},[16,6873,6874],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[6876,6877],"hr",{},[16,6879,6880],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[16,6882,6883],{},"They happen because nobody agreed on who was responsible for following it.",[16,6885,6886],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[16,6888,6889],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[6876,6891],{},[11,6893,6895],{"id":6894},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[16,6897,6898,6900,6901,6905],{},[257,6899,603],{"href":602}," governs the entire ",[257,6902,6904],{"href":6903},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment"," — and the cardholder data environment touches far more than IT.",[16,6907,6908],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[16,6910,6911],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[16,6913,6914],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[6876,6916],{},[11,6918,6920],{"id":6919},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[16,6922,6923],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[16,6925,6926],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[16,6928,6929],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[16,6931,6932],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[6876,6934],{},[11,6936,6938],{"id":6937},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[16,6940,6941,6942,6946],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[257,6943,6945],{"href":6944},"\u002Fglossary\u002Fthird-party-risk","third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[16,6948,6949],{},"That's not management. That's documentation.",[16,6951,6952],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[16,6954,6955],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[6876,6957],{},[11,6959,6961],{"id":6960},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[16,6963,6964],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[16,6966,6967],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[16,6969,6970],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[6876,6972],{},[11,6974,6976],{"id":6975},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[16,6978,6979],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[16,6981,6982],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[16,6984,6985],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[16,6987,6988],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[6876,6990],{},[11,6992,6994],{"id":6993},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[16,6996,6997],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[16,6999,7000],{},"None of this requires a larger team. It requires a more deliberate structure.",[16,7002,7003],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[6876,7005],{},[16,7007,7008],{},[20,7009,7010],{},"Is your PCI ownership model as clear as you think it is?",[16,7012,7013,7014,7018,7019,7022],{},"At ",[257,7015,7017],{"href":7016},"\u002F","episki",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[257,7020,7021],{"href":602},"PCI"," program holds up when it matters most.",[16,7024,7025],{},[257,7026,7028],{"href":279,"rel":7027},[274],"Let's talk →",[6876,7030],{},[16,7032,7033],{},[1523,7034,7035],{},"Compliance on paper isn't compliance. It's paperwork.",{"title":284,"searchDepth":285,"depth":285,"links":7037},[7038,7039,7040,7041,7042,7043],{"id":6894,"depth":285,"text":6895},{"id":6919,"depth":285,"text":6920},{"id":6937,"depth":285,"text":6938},{"id":6960,"depth":285,"text":6961},{"id":6975,"depth":285,"text":6976},{"id":6993,"depth":285,"text":6994},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":7048},"\u002Fimages\u002Fblog\u002FPCI.jpg",{"slug":7050},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":6860,"description":7046},"3.now\u002Fdefined-roles-pci-compliance-mistakes","0u0CncSJsrHMYJZWMH_BzWgau-vuQTBQ7NdBBVQMz7Q",{"id":7056,"title":7057,"advantages":7058,"body":7080,"checklist":7087,"cta":7096,"description":7084,"extension":298,"faq":630,"hero":7099,"meta":7107,"name":7108,"navigation":316,"path":7109,"resources":7110,"seo":7123,"slug":7126,"stats":7127,"stem":7137,"__hash__":7138},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[7059,7066,7073],{"title":7060,"description":7061,"bullets":7062},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[7063,7064,7065],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":7067,"description":7068,"bullets":7069},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[7070,7071,7072],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":7074,"description":7075,"bullets":7076},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[7077,7078,7079],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":8,"value":7081,"toc":7085},[7082],[16,7083,7084],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":284,"searchDepth":285,"depth":285,"links":7086},[],{"title":7088,"description":7089,"items":7090},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[7091,7092,7093,7094,7095],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":7097,"description":7098},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":7100,"title":7101,"description":7102,"links":7103},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[7104,7106],{"label":7105,"icon":4359,"to":272},"Start healthtech trial",{"label":4361,"icon":6722,"color":4363,"variant":4364,"to":279,"target":4365},{},"healthcare and healthtech","\u002Findustry\u002Fhealthcare",{"headline":7111,"title":7111,"description":7112,"items":7113},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[7114,7117,7120],{"title":7115,"description":7116},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":7118,"description":7119},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":7121,"description":7122},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":7124,"description":7125},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[7128,7131,7134],{"value":7129,"description":7130},"30-day rollout","Move from baseline controls to monitored safeguards in under a month.",{"value":7132,"description":7133},"PHI-safe sharing","Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":7135,"description":7136},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776395351922]