Revision Changes

What changed between framework revisions, derived directly from NIST's official version-to-version transition crosswalks (via CPRT / OLIR). Each current element is classified by how it relates to the prior revision.

Carried overRestructuredNew

Cybersecurity Framework v1.1v2.0

32 carried83 restructured0 new115 total
v2.0 ElementTitlev1.1 SourceChange
DEPossible cybersecurity attacks and compromises are found and analyzedDECarried over
DE.AEAnomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidentsDE.AE, DE.DP-2Restructured
DE.AE-02Potentially adverse events are analyzed to better understand associated activitiesDE.AE-2Carried over
DE.AE-03Information is correlated from multiple sourcesDE.AE-3Carried over
DE.AE-04The estimated impact and scope of adverse events are understoodDE.AE-4Carried over
DE.AE-06Information on adverse events is provided to authorized staff and toolsDE.DP-4Restructured
DE.AE-07Cyber threat intelligence and other contextual information are integrated into the analysisDE.AE-3Restructured
DE.AE-08Incidents are declared when adverse events meet the defined incident criteriaDE.AE-5Restructured
DE.CMAssets are monitored to find anomalies, indicators of compromise, and other potentially adverse eventsDE.CMCarried over
DE.CM-01Networks and network services are monitored to find potentially adverse eventsDE.CM-1, DE.CM-4, DE.CM-5, DE.CM-7Restructured
DE.CM-02The physical environment is monitored to find potentially adverse eventsDE.CM-2Carried over
DE.CM-03Personnel activity and technology usage are monitored to find potentially adverse eventsDE.CM-3, DE.CM-7Restructured
DE.CM-06External service provider activities and services are monitored to find potentially adverse eventsDE.CM-6, DE.CM-7Restructured
DE.CM-09Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse eventsPR.DS-6, PR.DS-8, DE.CM-4, DE.CM-5, DE.CM-7Restructured
GVThe organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitoredID.GVRestructured
GV.OCThe circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understoodID.BERestructured
GV.OC-01The organizational mission is understood and informs cybersecurity risk managementID.BE-2, ID.BE-3Restructured
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and consideredID.SC-2, ID.GV-2Restructured
GV.OC-03Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managedID.GV-3Restructured
GV.OC-04Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicatedID.BE-5, ID.BE-4Restructured
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedID.BE-1, ID.BE-4Restructured
GV.POOrganizational cybersecurity policy is established, communicated, and enforcedID.GV-1Restructured
GV.PO-01Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforcedID.GV-1Restructured
GV.PO-02Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational missionID.GV-1Restructured
GV.RMThe organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisionsID.RMRestructured
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholdersID.RM-1Restructured
GV.RM-02Risk appetite and risk tolerance statements are established, communicated, and maintainedID.RM-2, ID.RM-3Restructured
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processesID.GV-4Restructured
GV.RM-04Strategic direction that describes appropriate risk response options is established and communicatedID.RM-2Restructured
GV.RM-05Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third partiesID.SC-1Restructured
GV.RM-06A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicatedID.RM-1Restructured
GV.RRCybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicatedID.GV-2Restructured
GV.RR-02Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforcedID.AM-6, ID.GV-2, DE.DP-1Restructured
GV.RR-03Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policiesID.RM-1Restructured
GV.RR-04Cybersecurity is included in human resources practicesPR.IP-11Restructured
GV.SCCyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholdersID.SCRestructured
GV.SC-01A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholdersID.SC-1Restructured
GV.SC-02Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externallyID.AM-6Restructured
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processesID.SC-2Restructured
GV.SC-04Suppliers are known and prioritized by criticalityID.SC-2Restructured
GV.SC-05Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third partiesID.SC-3Restructured
GV.SC-06Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationshipsID.SC-1Restructured
GV.SC-07The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationshipID.SC-2, ID.SC-4Restructured
GV.SC-08Relevant suppliers and other third parties are included in incident planning, response, and recovery activitiesID.SC-5Restructured
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleID.SC-1Restructured
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementID.SC-1Restructured
IDThe organization's current cybersecurity risks are understoodIDCarried over
ID.AMAssets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategyID.AMCarried over
ID.AM-01Inventories of hardware managed by the organization are maintainedID.AM-1Carried over
ID.AM-02Inventories of software, services, and systems managed by the organization are maintainedID.AM-2Carried over
ID.AM-03Representations of the organization's authorized network communication and internal and external network data flows are maintainedID.AM-3, DE.AE-1Restructured
ID.AM-04Inventories of services provided by suppliers are maintainedID.AM-4Carried over
ID.AM-05Assets are prioritized based on classification, criticality, resources, and impact on the missionID.AM-5Carried over
ID.AM-08Systems, hardware, software, services, and data are managed throughout their life cyclesPR.DS-3, PR.IP-2, PR.MA-1, PR.MA-2, PR.IP-6, PR.DSRestructured
ID.IMImprovements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF FunctionsRS.IM, RC.IM, PR.IP-7, DE.DP-5Restructured
ID.IM-02Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third partiesID.SC-5, PR.IP-10, DE.DP-3Restructured
ID.IM-03Improvements are identified from execution of operational processes, procedures, and activitiesPR.IP-7, PR.IP-8, DE.DP-5, RS.IM-1, RS.IM-2, RC.IM-1, RC.IM-2Restructured
ID.IM-04Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improvedPR.IP-9, RS.IM-1, RC.IM-1, PR.IP-10Restructured
ID.RAThe cybersecurity risk to the organization, assets, and individuals is understood by the organizationID.RACarried over
ID.RA-01Vulnerabilities in assets are identified, validated, and recordedID.RA-1, PR.IP-12, DE.CM-8Restructured
ID.RA-02Cyber threat intelligence is received from information sharing forums and sourcesID.RA-2Carried over
ID.RA-03Internal and external threats to the organization are identified and recordedID.RA-3Carried over
ID.RA-04Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recordedID.RA-4Carried over
ID.RA-05Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritizationID.RA-5Carried over
ID.RA-06Risk responses are chosen, prioritized, planned, tracked, and communicatedID.RA-6, RS.MI-3Restructured
ID.RA-07Changes and exceptions are managed, assessed for risk impact, recorded, and trackedPR.IP-3Restructured
ID.RA-08Processes for receiving, analyzing, and responding to vulnerability disclosures are establishedRS.AN-5Restructured
ID.RA-09The authenticity and integrity of hardware and software are assessed prior to acquisition and usePR.DS-8Restructured
ID.RA-10Critical suppliers are assessed prior to acquisitionID.SC-2, ID.SC-4Restructured
PRSafeguards to manage the organization's cybersecurity risks are usedPRCarried over
PR.AAAccess to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized accessPR.ACRestructured
PR.AA-01Identities and credentials for authorized users, services, and hardware are managed by the organizationPR.AC-1Restructured
PR.AA-02Identities are proofed and bound to credentials based on the context of interactionsPR.AC-6Restructured
PR.AA-03Users, services, and hardware are authenticatedPR.AC-3, PR.AC-7Restructured
PR.AA-05Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of dutiesPR.AC-1, PR.AC-3, PR.AC-4Restructured
PR.AA-06Physical access to assets is managed, monitored, and enforced commensurate with riskPR.AC-2, PR.PT-4Restructured
PR.ATThe organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasksPR.ATCarried over
PR.AT-01Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mindPR.AT-1, PR.AT-3, RS.CO-1Restructured
PR.AT-02Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mindPR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5Restructured
PR.DSData are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of informationPR.DSCarried over
PR.DS-01The confidentiality, integrity, and availability of data-at-rest are protectedPR.DS-1, PR.DS-5, PR.DS-6, PR.PT-2Restructured
PR.DS-02The confidentiality, integrity, and availability of data-in-transit are protectedPR.DS-2, PR.DS-5Restructured
PR.DS-10The confidentiality, integrity, and availability of data-in-use are protectedPR.DS-5Restructured
PR.DS-11Backups of data are created, protected, maintained, and testedPR.IP-4Restructured
PR.IR-01Networks and environments are protected from unauthorized logical access and usagePR.AC-3, PR.AC-5, PR.DS-7, PR.PT-4Restructured
PR.IR-02The organization's technology assets are protected from environmental threatsPR.IP-5Restructured
PR.IR-03Mechanisms are implemented to achieve resilience requirements in normal and adverse situationsPR.PT-5Restructured
PR.IR-04Adequate resource capacity to ensure availability is maintainedPR.DS-4Restructured
PR.PS-01Configuration management practices are established and appliedPR.IP-1, PR.IP-3, PR.PT-2, PR.PT-3Restructured
PR.PS-02Software is maintained, replaced, and removed commensurate with riskPR.IP-12, PR.MA-2Restructured
PR.PS-03Hardware is maintained, replaced, and removed commensurate with riskPR.MA-1, PR.DS-3Restructured
PR.PS-04Log records are generated and made available for continuous monitoringPR.PT-1Restructured
PR.PS-06Secure software development practices are integrated, and their performance is monitored throughout the software development life cyclePR.IP-2Restructured
RCAssets and operations affected by a cybersecurity incident are restoredRCCarried over
RC.CORestoration activities are coordinated with internal and external partiesRC.COCarried over
RC.CO-03Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholdersRC.CO-3Carried over
RC.CO-04Public updates on incident recovery are shared using approved methods and messagingRC.CO-1, RS.CO-2Restructured
RC.RPRestoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidentsRC.RPCarried over
RC.RP-01The recovery portion of the incident response plan is executed once initiated from the incident response processRC.RP-1Carried over
RC.RP-02Recovery actions are selected, scoped, prioritized, and performedRC.RP-1Restructured
RSActions regarding a detected cybersecurity incident are takenRSCarried over
RS.ANInvestigations are conducted to ensure effective response and support forensics and recovery activitiesRS.ANCarried over
RS.AN-03Analysis is performed to establish what has taken place during an incident and the root cause of the incidentRS.AN-3Carried over
RS.AN-06Actions performed during an investigation are recorded, and the records' integrity and provenance are preservedRS.AN-3Restructured
RS.COResponse activities are coordinated with internal and external stakeholders as required by laws, regulations, or policiesRS.COCarried over
RS.CO-02Internal and external stakeholders are notified of incidentsRS.CO-2, RS.CO-3Restructured
RS.CO-03Information is shared with designated internal and external stakeholdersRS.CO-3, RS.CO-5Restructured
RS.MAResponses to detected cybersecurity incidents are managedRS.RPRestructured
RS.MA-01The incident response plan is executed in coordination with relevant third parties once an incident is declaredRS.RP-1, RS.CO-4Restructured
RS.MA-02Incident reports are triaged and validatedRS.AN-1, RS.AN-2Restructured
RS.MA-03Incidents are categorized and prioritizedRS.AN-4, RS.AN-2Restructured
RS.MA-04Incidents are escalated or elevated as neededRS.AN-2, RS.CO-4Restructured
RS.MIActivities are performed to prevent expansion of an event and mitigate its effectsRS.MICarried over
RS.MI-01Incidents are containedRS.MI-1Carried over
RS.MI-02Incidents are eradicatedRS.MI-2Carried over

SP 800-171 Rev 2Rev 3

77 carried1 restructured19 new97 total
Rev 3 ElementTitleRev 2 SourceChange
03.01.01Account Management3.1.1Carried over
03.01.02Access Enforcement3.1.2Carried over
03.01.03Information Flow Enforcement3.1.3Carried over
03.01.04Separation of Duties3.1.4Carried over
03.01.05Least Privilege3.1.5Carried over
03.01.06Least Privilege – Privileged Accounts3.1.6Carried over
03.01.07Least Privilege – Privileged Functions3.1.7Carried over
03.01.08Unsuccessful Logon Attempts3.1.8Carried over
03.01.09System Use Notification3.1.9Carried over
03.01.10Device Lock3.1.10Carried over
03.01.11Session Termination3.1.11Carried over
03.01.12Remote Access3.1.12Carried over
03.01.16Wireless Access3.1.16Carried over
03.01.18Access Control for Mobile Devices3.1.18Carried over
03.01.20Use of External Systems3.1.20Carried over
03.01.22Publicly Accessible Content3.1.22Carried over
03.02.01Literacy Training and Awareness3.2.1Carried over
03.02.02Role-Based Training3.2.2Carried over
03.03.01Event Logging3.3.1Carried over
03.03.02Audit Record Content3.3.2Carried over
03.03.03Audit Record Generation3.3.3Carried over
03.03.04Response to Audit Logging Process Failures3.3.4Carried over
03.03.05Audit Record Review, Analysis, and Reporting3.3.5Carried over
03.03.06Audit Record Reduction and Report Generation3.3.6Carried over
03.03.07Time Stamps3.3.7Carried over
03.03.08Protection of Audit Information3.3.8Carried over
03.04.01Baseline Configuration3.4.1Carried over
03.04.02Configuration Settings3.4.2Carried over
03.04.03Configuration Change Control3.4.3Carried over
03.04.04Impact Analyses3.4.4Carried over
03.04.05Access Restrictions for Change3.4.5Carried over
03.04.06Least Functionality3.4.6Carried over
03.04.08Authorized Software – Allow by Exception3.4.8Carried over
03.04.10System Component InventoryNew
03.04.11Information LocationNew
03.04.12System and Component Configuration for High-Risk AreasNew
03.05.01User Identification and Authentication3.5.1Carried over
03.05.02Device Identification and Authentication3.5.2Carried over
03.05.03Multi-Factor Authentication3.5.3Carried over
03.05.04Replay-Resistant Authentication3.5.4Carried over
03.05.05Identifier Management3.5.5Carried over
03.05.07Password Management3.5.7Carried over
03.05.11Authentication Feedback3.5.11Carried over
03.05.12Authenticator ManagementNew
03.06.01Incident Handling3.6.1Carried over
03.06.02Incident Monitoring, Reporting, and Response Assistance3.6.2Carried over
03.06.03Incident Response Testing3.6.3Carried over
03.06.04Incident Response TrainingNew
03.06.05Incident Response PlanNew
03.07.04Maintenance Tools3.7.4Carried over
03.07.05Nonlocal Maintenance3.7.5Carried over
03.07.06Maintenance Personnel3.7.6Carried over
03.08.01Media Storage3.8.1Carried over
03.08.02Media Access3.8.2Carried over
03.08.03Media Sanitization3.8.3Carried over
03.08.04Media Marking3.8.4Carried over
03.08.05Media Transport3.8.5Carried over
03.08.07Media Use3.8.7Carried over
03.08.09System Backup – Cryptographic Protection3.8.9Carried over
03.09.01Personnel Screening3.9.1Carried over
03.09.02Personnel Termination and Transfer3.9.2Carried over
03.10.01Physical Access Authorizations3.10.1Carried over
03.10.02Monitoring Physical Access3.10.2Carried over
03.10.06Alternate Work Site3.10.6Carried over
03.10.07Physical Access ControlNew
03.10.08Access Control for TransmissionNew
03.11.01Risk Assessment3.11.1Carried over
03.11.02Vulnerability Monitoring and Scanning3.11.2Carried over
03.11.04Risk ResponseNew
03.12.01Security Assessment3.12.1Carried over
03.12.02Plan of Action and Milestones3.12.2Carried over
03.12.03Continuous Monitoring3.12.3Carried over
03.12.05Information ExchangeNew
03.13.01Boundary Protection3.13.1Carried over
03.13.04Information in Shared System Resources3.13.4Carried over
03.13.06Network Communications – Deny by Default – Allow by Exception3.13.6Carried over
03.13.08Transmission and Storage Confidentiality3.13.8Carried over
03.13.09Network Disconnect3.13.9Carried over
03.13.10Cryptographic Key Establishment and Management3.13.10Carried over
03.13.11Cryptographic Protection3.13.11Carried over
03.13.12Collaborative Computing Devices and Applications3.13.12Carried over
03.13.13Mobile Code3.13.13Carried over
03.13.15Session Authenticity3.13.15Carried over
03.14.01Flaw Remediation3.14.1Carried over
03.14.02Malicious Code Protection3.14.2Carried over
03.14.03Security Alerts, Advisories, and Directives3.14.3Carried over
03.14.06System Monitoring3.14.6Carried over
03.14.08Information Management and RetentionNew
03.15.01Policy and ProceduresNew
03.15.02System Security Plan3.12.4Restructured
03.15.03Rules of BehaviorNew
03.16.01Security Engineering PrinciplesNew
03.16.02Unsupported System ComponentsNew
03.16.03External System ServicesNew
03.17.01Supply Chain Risk Management PlanNew
03.17.02Acquisition Strategies, Tools, and MethodsNew
03.17.03Supply Chain Requirements and ProcessesNew

Source crosswalks: CSFv1.1-to-CSFv2.0, SP-800-171-Rev-2-to-SP-800-171-Rev-3. Generated from NIST CPRT.