Appendix A: NIST CSF Internal Controls

As discussed in Chapter 3 , the NIST cybersecurity framework gives direct guidance on how to build cybersecurity programs. The categories and subcategories specify the activities required to establish the program. Controls that outline the “how” of implementing the requirements of each subcategory must be defined, which requires someone to own the control and a time factor in which control activities can be established. Table  A-1 shows the controls aligned to the subcategories within the protect, detect, and respond functions.

Table A-1 NIST CSF Internal Controls



Internal Control

Access Control

PR.AC-1: Identities and credentials are managed for authorized devices and users.

Access must ...

Get Building a HIPAA-Compliant Cybersecurity Program: Using NIST 800-30 and CSF to Secure Protected Health Information now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.