NIST 800-172 Control Explorer



Adversary Effects

ID Family Requirement
3.1.1eAccess Control

Employ dual authorization to execute critical or sensitive system and organizational

3.1.2eAccess Control

Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.

3.1.3eAccess Control

Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems.

3.2.1eAwareness and Training

Provide awareness training [Assignment: organization-defined frequency] focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are significant changes to the threat.

3.2.2eAwareness and Training

Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.

3.4.1eConfiguration Management

Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.

3.4.2eConfiguration Management

Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations.

3.4.3eConfiguration Management

Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

3.5.1eIdentification and Authentication

Identify and authenticate [Assignment: organization-defined systems and system components] before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.

3.5.2eIdentification and Authentication

Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management.

3.5.3eIdentification and Authentication

Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

3.6.1eIncident Response

Establish and maintain a security operations center capability that operates [Assignment: organization-defined time period].

3.6.2eIncident Response

Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period].

3.9.1ePersonnel Security

Conduct [Assignment: organization-defined enhanced personnel screening] for individuals and reassess individual positions and access to CUI [Assignment: organization-defined frequency].

3.9.2ePersonnel Security

Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.

3.11.1eRisk Assessment

Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

3.11.2eRisk Assessment

Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls.

3.11.3eRisk Assessment

Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.

3.11.4eRisk Assessment

Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination.

3.11.5eRisk Assessment

Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

3.11.6eRisk Assessment

Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.

3.11.7eRisk Assessment

Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan [Assignment: organization-defined frequency].

3.12.1eSecurity Assessment

Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using subject matter experts.

3.13.1eSystem and Communications Protection

Create diversity in [Assignment: organization-defined system components] to reduce the extent of malicious code propagation.

3.13.2eSystem and Communications Protection

Implement the following changes to organizational systems and system components to introduce a degree of unpredictability into operations: [Assignment: organization-defined changes and frequency of changes by system and system component].

3.13.3eSystem and Communications Protection

Employ [Assignment: organization-defined technical and procedural means] to confuse and mislead adversaries.

3.13.4eSystem and Communications Protection

Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components.

3.13.5eSystem and Communications Protection

Distribute and relocate the following system functions or resources [Assignment: organization-defined frequency]: [Assignment: organization-defined system functions or resources].

3.14.1eSystem and Information Integrity

Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures.

3.14.2eSystem and Information Integrity

Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.

3.14.3eSystem and Information Integrity

Ensure that [Assignment: organization-defined systems and system components] are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.

3.14.4eSystem and Information Integrity

Refresh [Assignment: organization-defined systems and system components] from a known, trusted state [Assignment: organization-defined frequency].

3.14.5eSystem and Information Integrity

Conduct reviews of persistent organizational storage locations [Assignment: organization-defined frequency] and remove CUI that is no longer needed.

3.14.6eSystem and Information Integrity

Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting.

3.14.7eSystem and Information Integrity

Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques].