|Access Control (AC)
|C002 Control internal system access
|Control information flows between security domains on connected systems.
|Periodically review and update CUI program access permissions.
|C003 Control remote system access
|Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
|Asset Management (AM)
|C006 Manage asset inventory
|Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
|Audit & Accountability (AU)
|C010 Review and manage audit logs
|Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.
|Review audit information for broad activity in addition to per-machine activity.
|Awareness & Training (AT)
|C011 Conduct security awareness activities
|Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
|Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
|Configuration Management (CM)
|C014 Perform configuration and change management
|Employ application whitelisting and an application vetting process for systems identified by the organization.
|Incident Response (IR)
|C016 Plan incident response
|Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution.
|C018 Develop and implement a response to a declared incident
|Establish and maintain a Security Operations Center (SOC) capability that facilitates a 24/7 response capability.
|Risk Management (RM)
|C031 Identify and evaluate risk
|Catalog and periodically update threat profiles and adversary Tactics, Techniques & Procedures (TTPs).
|Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities.
|Perform scans for unauthorized ports available across perimeter network boundaries, over the organization’s Internet boundaries and other organization-defined boundaries.
|C033 Manage supply chain risk
|Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
|Security Assessment (CA)
|C034 Develop and manage a system security plan
|Create, maintain and leverage a security strategy and roadmap for organizational cybersecurity improvement.
|C035 Define and manage controls
|Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
|Periodically perform red teaming against organizational assets in order to validate defensive capabilities
|Situational Awareness (SA)
|C037 Implement threat monitoring
|Establish and maintain a cyber threat hunting capability to search for Indicators of Compromise (IoC) in organizational systems and detect, track and disrupt threats that evade existing controls.
|Design network and system security capabilities to leverage, integrate and share Indicators of Compromise (IoC).
|System & Communications Protection (SC)
|C038 Define security requirements for systems and communications
|Employ physical and logical isolation techniques in the system and security architecture and/or and where deemed appropriate by the organization.
|Isolate administratrion of organizationally-defined high-value critical network infrastructure components and servers.
|C039 Control communications at system boundaries
|Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
|Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally-defined boundaries.
|Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
|System & Information Integrity (SI)
|C040 Identify and manage information system flaws
|Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.