- February 16, 2021: Refreshed risk vector mapping and its associated context.
- July 17, 2018: Breaches renamed and recategorized to“Security Incidents.”
We provide a report which is a high-level summary of an organization's compliance with the US National Institute of Standards and Technology's cybersecurity Framework using our risk vectors and existing data as evidence.
Our automated report makes use of data from our Security Ratings system and can be accessed at any time to help your organization supplement existing self-reporting systems and save valuable time getting started qualifying vendors, and clients through the NIST cybersecurity Framework.
Share this report with regulators, auditors, and clients / vendors, so they can get a clear understanding of the cyber security performance of the company and its vendors as it relates to the NIST framework.
NIST CSF Version 1.0
Directory
- Grading Methodology
- Supported Cybersecurity Framework Subcategories and Evidence
- Frequently Asked Questions
- Are All of the Cybersecurity Framework Requirements Covered by Bitsight?
- How Are Subcategories and Categories Graded?
- How Are Subcategories Mapped With Evidence?
- How Can I Obtain a Copy of My Organization's Bitsight NIST Report?
- How Is the Framework Organized?
- What Are the High-Level Functions of the Cybersecurity Framework?
- What Is in a Bitsight NIST Report?
- What Is the NIST Cybersecurity Framework?
Grading methodology
For each category, a weight (severity) is assigned to each grouping of risk vectors in a subcategory.
Learn how Bitsight Security Ratings are calculated.
Supported Cybersecurity Framework Subcategories and Evidence
Below is a list of which of our risk vectors support certain subcategories, sorted by high-level function. If a subcategory is not listed, we do not yet support it.
Descriptions for each are as they appear in the framework document.
❖ To preserve confidentiality, not all subcategories are shown by default. Special notes regarding its visibility is noted when there are certain conditions for a subcategory to appear in a report. It’s shown in your own report and does not appear in NIST CSF reports of your organization generated by other companies.
Function: Identify
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
Category: Asset Management
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| ID.AM-2 Software platforms and applications within the organization are inventoried. |
This control is supported with evidence from the Open Ports risk vector, which has external detection for software and applications within the organization. ❖ Included only if your organization is a Bitsight customer. |
Assets |
Category: Risk Assessment
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| ID.RA-1 Asset vulnerabilities are identified and documented. |
This control is supported with evidence of Patching Cadence found to exist on devices during an external scan of the organization's network perimeter. |
|
| ID.RA-3 Threats, both internal and external, are identified and documented. |
This control is supported with evidence from the Forensics add-on package, which shows threats found to exist on devices during an external scan of the organization's network perimeter. ❖ Included only if your organization has the Forensics add-on package. |
Forensics |
| ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. |
This control is supported with evidence of Patching Cadence found to exist on devices during an external scan of the organization's network perimeter. |
|
Function: Protect
Category: Access Control
Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| PR.AC1 | Identities and credentials are managed for authorized devices and users. | Open Ports |
| PR.AC-3 Remote access is managed. |
This control is supported with evidence of ports found to be open on firewalls and other devices during an external scan of the organization's network perimeter. | Open Ports |
| PR.AC-5 Network integrity is protected, incorporating network segregation where appropriate. |
This control is supported with evidence of ports found to be open on firewalls and other devices during an external scan of the organization's network perimeter. | Open Ports |
Category: Awareness and Training
The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| PR.AT-1 | All users are informed and trained. |
|
Category: Data Security
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| PR.DS-2 Data-in-transit is protected. |
This control is supported with evidence of enforced TLS/SSL encryption and certificates, and also TLS/SSL configuration showing validation of correct encryption standards or failing and weak protocols. |
|
| PR.DS-5 Protections against data leaks are implemented. |
We support this control with evidence of a data breach as a result of publicly disclosed security incidents. | Security Incidents |
Category: Information Protection Processes and Procedures
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| PR.IP-1 |
|
|
| PR.IP-3 |
|
|
| PR.IP-7 Protection processes are continuously improved. |
The Bitsight Security Rating indicates an improving protection process. |
|
| PR.IP-8 Effectiveness of protection technologies is shared with appropriate parties. |
Using the Bitsight Security Ratings product within an organization is a way to share information about their security effectiveness. ❖ Only shown in your own report if your organization is a Bitsight customer. Does not appear in a NIST CSF report on your organization generated by others. |
Bitsight Security Rating |
| PR.IP-12 A vulnerability management plan is developed and implemented. |
The use of the Bitsight platform and the generation of a Bitsight Security Ratings Report is a significant part of the vulnerability management program. As such, they should demonstrate the implementation of a program. ❖ Included only if your organization is a Bitsight customer. |
Category: Maintenance
Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| PR.MA-1 Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools. |
This control is supported with evidence of the currency of several software systems – servers, desktop, and mobile devices indicating one's capacity to maintain these systems up-to-date. |
|
Category: Protective Technology
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| PR.PT-4 Communications and control networks are protected. |
We support this control with evidence of ports found to be open on firewalls and other devices during an external scan of the organization's network perimeter. | Open Ports |
Function: Detect
Category: Anomalies and Events
Anomalous activity is detected in a timely manner and the potential impact of events is understood.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| DE.AE-2 Detected events are analyzed to understand attack targets and methods. |
This control is supported with evidence from the Forensics add-on package, which shows details of malware communications found to exist on devices during an external scan of the organization's network perimeter. ❖ Included only if your organization has the Forensics add-on package. |
Forensics |
| DE.AE-3 Event data are aggregated and correlated from multiple sources and sensors. |
This control is supported with the use of the Bitsight Security Ratings product, which aggregates and correlates data from multiple external sources and sensors. ❖ Included only if your organization is a Bitsight customer. |
|
Category: Detection Processes
Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| DE.DP-4 Event detection information is communicated to appropriate parties. |
Using the Bitsight Security Ratings product within an organization is a way to share information about their security effectiveness. ❖ Only shown in your own report if your organization is a Bitsight customer. Does not appear in NIST CSF reports on your organization generated by others. |
Bitsight Security Rating |
| DE.DP-5 Detection processes are continuously improved. |
A Bitsight Security Rating trend reflects whether an organization does or does not improve their detection processes over time. |
|
Category: Security Continuous Monitoring
The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| DE.CM-1 The network is monitored to detect potential cybersecurity events. |
This control is supported with evidence of Compromised Systems events, such as botnets, spam, and malware attempting to communicate from within an organization's network. This information can be found during an external scan of the organization's network perimeter; with evidence of a data breach as a result of publicly disclosed security incidents. |
|
| DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events. |
This control is supported with evidence of user activity where files are shared over the BitTorrent protocol from within an organization's network. This information can be found during an external scan of the organization's network perimeter. | File Sharing |
| DE.CM-4 Malicious code is detected. |
This control is supported with evidence of Compromised Systems events, such as botnets, spam, and malware attempting to communicate from within an organization's network. This information can be found during an external scan of the organization's network perimeter. |
|
| DE.CM-5 Unauthorized mobile code is detected. |
This control is supported with evidence of Compromised Systems events, such as botnets, spam, and malware attempting to communicate from within an organization's network. This information can be found during an external scan of the organization's network perimeter. |
|
| DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events. |
This control is supported with evidence through the Bitsight for 4th Party Risk Management product, which shows service provider relationships and their Bitsight Security Ratings. ❖ Included only if your organization has Bitsight for 4th Party Risk Management. |
Bitsight for 4th Party Risk Management |
| DE.CM-7 Monitoring of unauthorized personnel, connections, devices, and software is performed. |
This control is supported with evidence of employee file sharing and the possibility that confidential information might have been shared. |
|
| DE.CM-8 Vulnerability scans are performed. |
This control is supported with evidence of server or desktop software vulnerabilities found to exist on devices during an external scan of the organization's network perimeter. |
|
Function: Respond
Category: Analysis
Analysis is conducted to ensure adequate response and support recovery activities.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| RS.AN-1 |
|
|
| RS.AN-3 Forensics is performed. |
This control is supported with evidence from the Forensics add-on package, which shows details of malware communications found to exist on devices during an external scan of the organization's network perimeter. ❖ Included only if your organization has the Forensics add-on package. |
Forensics |
Category: Mitigation
Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
| Subcategory | Details | Supporting Bitsight Data |
|---|---|---|
| RS.MI-1 Incidents are contained. |
This control is supported by how the Bitsight Security Rating drops after an event occurs and then levels off after it is contained. |
|
| RS.MI-2 Incidents are mitigated. |
This control is supported with evidence of the Bitsight Security Rating, which levels off or improves after incidents are mitigated. |
|
| RS.MI-3 | Patching Cadence |
Frequently Asked Questions
Are All of the Cybersecurity Framework Requirements Covered by Bitsight?
We (Bitsight) support functions and requirements categories where our risk vectors and data can be used. Some framework requirements can only be fulfilled by examining certain aspects of an organization from within.
While we can help support a company's compliance from the outside using our data sources, certain mappings where we have no visibility into an organization, for example, an inventory of “physical devices and systems within the organization,” will need to be assessed through other channels.
How Are Subcategories and Categories Graded?
Categories are color-coded (blue, yellow, and red) based on the individual evidence grades for each subcategory. These evidence grades are sourced directly from our Security Ratings data. Blue indicates overall good evidence grades, and therefore strong coverage within the subcategory; yellow means that the company could improve in a few areas, and red means the company needs to make significant improvements to their cybersecurity posture.
Subcategories that we don't support aren't counted in the grading system or shown in the report.
How Are Subcategories Mapped With Evidence?
We look at the requirements of a subcategory and see which of our risk vectors help cover those requirements. Our evidence-to-category mappings have been verified by experienced NIST framework professionals.
How do I obtain a copy of my organization's Bitsight NIST report?
Go to Reports ➔ View NIST CSF Report for your organization to download the report and share it with stakeholders.
How is the framework organized?
From the cybersecurity Framework document:
- Functions organize basic cybersecurity activities at their highest level.
- Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.”
- Subcategories further divide a Category into specific outcomes of technical and/or management activities. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”
What Are the High-Level Functions of the Cybersecurity Framework?
In order:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
What is in a Bitsight NIST report?
The Bitsight NIST report shows all of the requirements to meet the standards and best practices set forth by the cybersecurity Framework that we are able to match with evidence, along with color indicators that reflect the degree to which an organization has coverage within the Cybersecurity Framework in each of those areas.
Example:
Within the “Identify” function, there is an “Asset Management” category and “ID.AM2” subcategory. It has the “Software platforms and applications within the organization are inventoried” criteria. Our Open Ports data provide evidence for supporting the requirements of this category, because it is able to provide information detailing which software platforms and applications an organization is using, from an outside-in approach.
What is the NIST cybersecurity Framework?
The cybersecurity framework is a set of industry standards and best practices to help organizations manage cybersecurity risk, issued by the US National Institute of Standards and Technology. It references globally recognized standards for cybersecurity. It can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.
The official NIST Cybersecurity Framework documentation (PDF) is available for download.
Recommended reading: