Revision Changes
What changed between framework revisions, derived directly from NIST's official version-to-version transition crosswalks (via CPRT / OLIR). Each current element is classified by how it relates to the prior revision.
Carried overRestructuredNew
Cybersecurity Framework v1.1 → v2.0
32 carried83 restructured0 new115 total
| v2.0 Element | Title | v1.1 Source | Change |
|---|---|---|---|
| DE | Possible cybersecurity attacks and compromises are found and analyzed | DE | Carried over |
| DE.AE | Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents | DE.AE, DE.DP-2 | Restructured |
| DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | DE.AE-2 | Carried over |
| DE.AE-03 | Information is correlated from multiple sources | DE.AE-3 | Carried over |
| DE.AE-04 | The estimated impact and scope of adverse events are understood | DE.AE-4 | Carried over |
| DE.AE-06 | Information on adverse events is provided to authorized staff and tools | DE.DP-4 | Restructured |
| DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis | DE.AE-3 | Restructured |
| DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria | DE.AE-5 | Restructured |
| DE.CM | Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events | DE.CM | Carried over |
| DE.CM-01 | Networks and network services are monitored to find potentially adverse events | DE.CM-1, DE.CM-4, DE.CM-5, DE.CM-7 | Restructured |
| DE.CM-02 | The physical environment is monitored to find potentially adverse events | DE.CM-2 | Carried over |
| DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events | DE.CM-3, DE.CM-7 | Restructured |
| DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events | DE.CM-6, DE.CM-7 | Restructured |
| DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | PR.DS-6, PR.DS-8, DE.CM-4, DE.CM-5, DE.CM-7 | Restructured |
| GV | The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored | ID.GV | Restructured |
| GV.OC | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood | ID.BE | Restructured |
| GV.OC-01 | The organizational mission is understood and informs cybersecurity risk management | ID.BE-2, ID.BE-3 | Restructured |
| GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | ID.SC-2, ID.GV-2 | Restructured |
| GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | ID.GV-3 | Restructured |
| GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | ID.BE-5, ID.BE-4 | Restructured |
| GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | ID.BE-1, ID.BE-4 | Restructured |
| GV.PO | Organizational cybersecurity policy is established, communicated, and enforced | ID.GV-1 | Restructured |
| GV.PO-01 | Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | ID.GV-1 | Restructured |
| GV.PO-02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | ID.GV-1 | Restructured |
| GV.RM | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | ID.RM | Restructured |
| GV.RM-01 | Risk management objectives are established and agreed to by organizational stakeholders | ID.RM-1 | Restructured |
| GV.RM-02 | Risk appetite and risk tolerance statements are established, communicated, and maintained | ID.RM-2, ID.RM-3 | Restructured |
| GV.RM-03 | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | ID.GV-4 | Restructured |
| GV.RM-04 | Strategic direction that describes appropriate risk response options is established and communicated | ID.RM-2 | Restructured |
| GV.RM-05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | ID.SC-1 | Restructured |
| GV.RM-06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | ID.RM-1 | Restructured |
| GV.RR | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated | ID.GV-2 | Restructured |
| GV.RR-02 | Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | ID.AM-6, ID.GV-2, DE.DP-1 | Restructured |
| GV.RR-03 | Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies | ID.RM-1 | Restructured |
| GV.RR-04 | Cybersecurity is included in human resources practices | PR.IP-11 | Restructured |
| GV.SC | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | ID.SC | Restructured |
| GV.SC-01 | A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | ID.SC-1 | Restructured |
| GV.SC-02 | Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | ID.AM-6 | Restructured |
| GV.SC-03 | Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | ID.SC-2 | Restructured |
| GV.SC-04 | Suppliers are known and prioritized by criticality | ID.SC-2 | Restructured |
| GV.SC-05 | Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | ID.SC-3 | Restructured |
| GV.SC-06 | Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | ID.SC-1 | Restructured |
| GV.SC-07 | The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | ID.SC-2, ID.SC-4 | Restructured |
| GV.SC-08 | Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | ID.SC-5 | Restructured |
| GV.SC-09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | ID.SC-1 | Restructured |
| GV.SC-10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | ID.SC-1 | Restructured |
| ID | The organization's current cybersecurity risks are understood | ID | Carried over |
| ID.AM | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM | Carried over |
| ID.AM-01 | Inventories of hardware managed by the organization are maintained | ID.AM-1 | Carried over |
| ID.AM-02 | Inventories of software, services, and systems managed by the organization are maintained | ID.AM-2 | Carried over |
| ID.AM-03 | Representations of the organization's authorized network communication and internal and external network data flows are maintained | ID.AM-3, DE.AE-1 | Restructured |
| ID.AM-04 | Inventories of services provided by suppliers are maintained | ID.AM-4 | Carried over |
| ID.AM-05 | Assets are prioritized based on classification, criticality, resources, and impact on the mission | ID.AM-5 | Carried over |
| ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycles | PR.DS-3, PR.IP-2, PR.MA-1, PR.MA-2, PR.IP-6, PR.DS | Restructured |
| ID.IM | Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions | RS.IM, RC.IM, PR.IP-7, DE.DP-5 | Restructured |
| ID.IM-02 | Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | ID.SC-5, PR.IP-10, DE.DP-3 | Restructured |
| ID.IM-03 | Improvements are identified from execution of operational processes, procedures, and activities | PR.IP-7, PR.IP-8, DE.DP-5, RS.IM-1, RS.IM-2, RC.IM-1, RC.IM-2 | Restructured |
| ID.IM-04 | Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved | PR.IP-9, RS.IM-1, RC.IM-1, PR.IP-10 | Restructured |
| ID.RA | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA | Carried over |
| ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded | ID.RA-1, PR.IP-12, DE.CM-8 | Restructured |
| ID.RA-02 | Cyber threat intelligence is received from information sharing forums and sources | ID.RA-2 | Carried over |
| ID.RA-03 | Internal and external threats to the organization are identified and recorded | ID.RA-3 | Carried over |
| ID.RA-04 | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | ID.RA-4 | Carried over |
| ID.RA-05 | Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization | ID.RA-5 | Carried over |
| ID.RA-06 | Risk responses are chosen, prioritized, planned, tracked, and communicated | ID.RA-6, RS.MI-3 | Restructured |
| ID.RA-07 | Changes and exceptions are managed, assessed for risk impact, recorded, and tracked | PR.IP-3 | Restructured |
| ID.RA-08 | Processes for receiving, analyzing, and responding to vulnerability disclosures are established | RS.AN-5 | Restructured |
| ID.RA-09 | The authenticity and integrity of hardware and software are assessed prior to acquisition and use | PR.DS-8 | Restructured |
| ID.RA-10 | Critical suppliers are assessed prior to acquisition | ID.SC-2, ID.SC-4 | Restructured |
| PR | Safeguards to manage the organization's cybersecurity risks are used | PR | Carried over |
| PR.AA | Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access | PR.AC | Restructured |
| PR.AA-01 | Identities and credentials for authorized users, services, and hardware are managed by the organization | PR.AC-1 | Restructured |
| PR.AA-02 | Identities are proofed and bound to credentials based on the context of interactions | PR.AC-6 | Restructured |
| PR.AA-03 | Users, services, and hardware are authenticated | PR.AC-3, PR.AC-7 | Restructured |
| PR.AA-05 | Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | PR.AC-1, PR.AC-3, PR.AC-4 | Restructured |
| PR.AA-06 | Physical access to assets is managed, monitored, and enforced commensurate with risk | PR.AC-2, PR.PT-4 | Restructured |
| PR.AT | The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks | PR.AT | Carried over |
| PR.AT-01 | Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind | PR.AT-1, PR.AT-3, RS.CO-1 | Restructured |
| PR.AT-02 | Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind | PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5 | Restructured |
| PR.DS | Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information | PR.DS | Carried over |
| PR.DS-01 | The confidentiality, integrity, and availability of data-at-rest are protected | PR.DS-1, PR.DS-5, PR.DS-6, PR.PT-2 | Restructured |
| PR.DS-02 | The confidentiality, integrity, and availability of data-in-transit are protected | PR.DS-2, PR.DS-5 | Restructured |
| PR.DS-10 | The confidentiality, integrity, and availability of data-in-use are protected | PR.DS-5 | Restructured |
| PR.DS-11 | Backups of data are created, protected, maintained, and tested | PR.IP-4 | Restructured |
| PR.IR-01 | Networks and environments are protected from unauthorized logical access and usage | PR.AC-3, PR.AC-5, PR.DS-7, PR.PT-4 | Restructured |
| PR.IR-02 | The organization's technology assets are protected from environmental threats | PR.IP-5 | Restructured |
| PR.IR-03 | Mechanisms are implemented to achieve resilience requirements in normal and adverse situations | PR.PT-5 | Restructured |
| PR.IR-04 | Adequate resource capacity to ensure availability is maintained | PR.DS-4 | Restructured |
| PR.PS-01 | Configuration management practices are established and applied | PR.IP-1, PR.IP-3, PR.PT-2, PR.PT-3 | Restructured |
| PR.PS-02 | Software is maintained, replaced, and removed commensurate with risk | PR.IP-12, PR.MA-2 | Restructured |
| PR.PS-03 | Hardware is maintained, replaced, and removed commensurate with risk | PR.MA-1, PR.DS-3 | Restructured |
| PR.PS-04 | Log records are generated and made available for continuous monitoring | PR.PT-1 | Restructured |
| PR.PS-06 | Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle | PR.IP-2 | Restructured |
| RC | Assets and operations affected by a cybersecurity incident are restored | RC | Carried over |
| RC.CO | Restoration activities are coordinated with internal and external parties | RC.CO | Carried over |
| RC.CO-03 | Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | RC.CO-3 | Carried over |
| RC.CO-04 | Public updates on incident recovery are shared using approved methods and messaging | RC.CO-1, RS.CO-2 | Restructured |
| RC.RP | Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents | RC.RP | Carried over |
| RC.RP-01 | The recovery portion of the incident response plan is executed once initiated from the incident response process | RC.RP-1 | Carried over |
| RC.RP-02 | Recovery actions are selected, scoped, prioritized, and performed | RC.RP-1 | Restructured |
| RS | Actions regarding a detected cybersecurity incident are taken | RS | Carried over |
| RS.AN | Investigations are conducted to ensure effective response and support forensics and recovery activities | RS.AN | Carried over |
| RS.AN-03 | Analysis is performed to establish what has taken place during an incident and the root cause of the incident | RS.AN-3 | Carried over |
| RS.AN-06 | Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved | RS.AN-3 | Restructured |
| RS.CO | Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies | RS.CO | Carried over |
| RS.CO-02 | Internal and external stakeholders are notified of incidents | RS.CO-2, RS.CO-3 | Restructured |
| RS.CO-03 | Information is shared with designated internal and external stakeholders | RS.CO-3, RS.CO-5 | Restructured |
| RS.MA | Responses to detected cybersecurity incidents are managed | RS.RP | Restructured |
| RS.MA-01 | The incident response plan is executed in coordination with relevant third parties once an incident is declared | RS.RP-1, RS.CO-4 | Restructured |
| RS.MA-02 | Incident reports are triaged and validated | RS.AN-1, RS.AN-2 | Restructured |
| RS.MA-03 | Incidents are categorized and prioritized | RS.AN-4, RS.AN-2 | Restructured |
| RS.MA-04 | Incidents are escalated or elevated as needed | RS.AN-2, RS.CO-4 | Restructured |
| RS.MI | Activities are performed to prevent expansion of an event and mitigate its effects | RS.MI | Carried over |
| RS.MI-01 | Incidents are contained | RS.MI-1 | Carried over |
| RS.MI-02 | Incidents are eradicated | RS.MI-2 | Carried over |
SP 800-171 Rev 2 → Rev 3
77 carried1 restructured19 new97 total
| Rev 3 Element | Title | Rev 2 Source | Change |
|---|---|---|---|
| 03.01.01 | Account Management | 3.1.1 | Carried over |
| 03.01.02 | Access Enforcement | 3.1.2 | Carried over |
| 03.01.03 | Information Flow Enforcement | 3.1.3 | Carried over |
| 03.01.04 | Separation of Duties | 3.1.4 | Carried over |
| 03.01.05 | Least Privilege | 3.1.5 | Carried over |
| 03.01.06 | Least Privilege – Privileged Accounts | 3.1.6 | Carried over |
| 03.01.07 | Least Privilege – Privileged Functions | 3.1.7 | Carried over |
| 03.01.08 | Unsuccessful Logon Attempts | 3.1.8 | Carried over |
| 03.01.09 | System Use Notification | 3.1.9 | Carried over |
| 03.01.10 | Device Lock | 3.1.10 | Carried over |
| 03.01.11 | Session Termination | 3.1.11 | Carried over |
| 03.01.12 | Remote Access | 3.1.12 | Carried over |
| 03.01.16 | Wireless Access | 3.1.16 | Carried over |
| 03.01.18 | Access Control for Mobile Devices | 3.1.18 | Carried over |
| 03.01.20 | Use of External Systems | 3.1.20 | Carried over |
| 03.01.22 | Publicly Accessible Content | 3.1.22 | Carried over |
| 03.02.01 | Literacy Training and Awareness | 3.2.1 | Carried over |
| 03.02.02 | Role-Based Training | 3.2.2 | Carried over |
| 03.03.01 | Event Logging | 3.3.1 | Carried over |
| 03.03.02 | Audit Record Content | 3.3.2 | Carried over |
| 03.03.03 | Audit Record Generation | 3.3.3 | Carried over |
| 03.03.04 | Response to Audit Logging Process Failures | 3.3.4 | Carried over |
| 03.03.05 | Audit Record Review, Analysis, and Reporting | 3.3.5 | Carried over |
| 03.03.06 | Audit Record Reduction and Report Generation | 3.3.6 | Carried over |
| 03.03.07 | Time Stamps | 3.3.7 | Carried over |
| 03.03.08 | Protection of Audit Information | 3.3.8 | Carried over |
| 03.04.01 | Baseline Configuration | 3.4.1 | Carried over |
| 03.04.02 | Configuration Settings | 3.4.2 | Carried over |
| 03.04.03 | Configuration Change Control | 3.4.3 | Carried over |
| 03.04.04 | Impact Analyses | 3.4.4 | Carried over |
| 03.04.05 | Access Restrictions for Change | 3.4.5 | Carried over |
| 03.04.06 | Least Functionality | 3.4.6 | Carried over |
| 03.04.08 | Authorized Software – Allow by Exception | 3.4.8 | Carried over |
| 03.04.10 | System Component Inventory | — | New |
| 03.04.11 | Information Location | — | New |
| 03.04.12 | System and Component Configuration for High-Risk Areas | — | New |
| 03.05.01 | User Identification and Authentication | 3.5.1 | Carried over |
| 03.05.02 | Device Identification and Authentication | 3.5.2 | Carried over |
| 03.05.03 | Multi-Factor Authentication | 3.5.3 | Carried over |
| 03.05.04 | Replay-Resistant Authentication | 3.5.4 | Carried over |
| 03.05.05 | Identifier Management | 3.5.5 | Carried over |
| 03.05.07 | Password Management | 3.5.7 | Carried over |
| 03.05.11 | Authentication Feedback | 3.5.11 | Carried over |
| 03.05.12 | Authenticator Management | — | New |
| 03.06.01 | Incident Handling | 3.6.1 | Carried over |
| 03.06.02 | Incident Monitoring, Reporting, and Response Assistance | 3.6.2 | Carried over |
| 03.06.03 | Incident Response Testing | 3.6.3 | Carried over |
| 03.06.04 | Incident Response Training | — | New |
| 03.06.05 | Incident Response Plan | — | New |
| 03.07.04 | Maintenance Tools | 3.7.4 | Carried over |
| 03.07.05 | Nonlocal Maintenance | 3.7.5 | Carried over |
| 03.07.06 | Maintenance Personnel | 3.7.6 | Carried over |
| 03.08.01 | Media Storage | 3.8.1 | Carried over |
| 03.08.02 | Media Access | 3.8.2 | Carried over |
| 03.08.03 | Media Sanitization | 3.8.3 | Carried over |
| 03.08.04 | Media Marking | 3.8.4 | Carried over |
| 03.08.05 | Media Transport | 3.8.5 | Carried over |
| 03.08.07 | Media Use | 3.8.7 | Carried over |
| 03.08.09 | System Backup – Cryptographic Protection | 3.8.9 | Carried over |
| 03.09.01 | Personnel Screening | 3.9.1 | Carried over |
| 03.09.02 | Personnel Termination and Transfer | 3.9.2 | Carried over |
| 03.10.01 | Physical Access Authorizations | 3.10.1 | Carried over |
| 03.10.02 | Monitoring Physical Access | 3.10.2 | Carried over |
| 03.10.06 | Alternate Work Site | 3.10.6 | Carried over |
| 03.10.07 | Physical Access Control | — | New |
| 03.10.08 | Access Control for Transmission | — | New |
| 03.11.01 | Risk Assessment | 3.11.1 | Carried over |
| 03.11.02 | Vulnerability Monitoring and Scanning | 3.11.2 | Carried over |
| 03.11.04 | Risk Response | — | New |
| 03.12.01 | Security Assessment | 3.12.1 | Carried over |
| 03.12.02 | Plan of Action and Milestones | 3.12.2 | Carried over |
| 03.12.03 | Continuous Monitoring | 3.12.3 | Carried over |
| 03.12.05 | Information Exchange | — | New |
| 03.13.01 | Boundary Protection | 3.13.1 | Carried over |
| 03.13.04 | Information in Shared System Resources | 3.13.4 | Carried over |
| 03.13.06 | Network Communications – Deny by Default – Allow by Exception | 3.13.6 | Carried over |
| 03.13.08 | Transmission and Storage Confidentiality | 3.13.8 | Carried over |
| 03.13.09 | Network Disconnect | 3.13.9 | Carried over |
| 03.13.10 | Cryptographic Key Establishment and Management | 3.13.10 | Carried over |
| 03.13.11 | Cryptographic Protection | 3.13.11 | Carried over |
| 03.13.12 | Collaborative Computing Devices and Applications | 3.13.12 | Carried over |
| 03.13.13 | Mobile Code | 3.13.13 | Carried over |
| 03.13.15 | Session Authenticity | 3.13.15 | Carried over |
| 03.14.01 | Flaw Remediation | 3.14.1 | Carried over |
| 03.14.02 | Malicious Code Protection | 3.14.2 | Carried over |
| 03.14.03 | Security Alerts, Advisories, and Directives | 3.14.3 | Carried over |
| 03.14.06 | System Monitoring | 3.14.6 | Carried over |
| 03.14.08 | Information Management and Retention | — | New |
| 03.15.01 | Policy and Procedures | — | New |
| 03.15.02 | System Security Plan | 3.12.4 | Restructured |
| 03.15.03 | Rules of Behavior | — | New |
| 03.16.01 | Security Engineering Principles | — | New |
| 03.16.02 | Unsupported System Components | — | New |
| 03.16.03 | External System Services | — | New |
| 03.17.01 | Supply Chain Risk Management Plan | — | New |
| 03.17.02 | Acquisition Strategies, Tools, and Methods | — | New |
| 03.17.03 | Supply Chain Requirements and Processes | — | New |
Source crosswalks: CSFv1.1-to-CSFv2.0, SP-800-171-Rev-2-to-SP-800-171-Rev-3. Generated from NIST CPRT.