cisecurity.org/ms-isac/ NIST Cybersecurity Framework Policy Template Guide cisecurity.org/ms-isac/ Introduction 1 NIST Function: Identify 2 Identify: Asset Management (ID.AM) 2 Identify: Supply Chain Risk Management (ID.SC) 3 NIST Function: Protect 4 Protect: Identity Management and Access Control (PR.AC) 4 Protect: Data Security (PR.DS) 5 Protect: Information Protection Processes and Procedures (PR.IP) 6 Protect: Maintenance (PR.MA) 7 Protect: Protective Technology (PR.PT) 7 NIST Function: Detect 9 Detect: Anomalies and Events (DE.AE) 9 Detect: Security Continuous Monitoring (DE.CM) 9 NIST Function: Respond 11 Respond: Response Planning (RS.RP) 6 11 Respond: Communications (RS.CO) 11 Respond: Analysis (RS.AN) 12 Respond: Improvements (RS.IM) 12 NIST Function: Recover 13 Recover: Recovery Planning (RC.RP) 13 Recover: Improvements (RC.IM) 13 Recover: Communications (RC.CO) 13 Additional Policy Templates 15 General 15 Network 15 Server Security 15 Application Security 15Contents cisecurity.org/ms-isac/Page 1 of 15 The Multi-State Information Sharing & Analysis Center (MS-ISAC) is offering this guide to participants of the Nationwide Cybersecurity Review (NCSR) and MS-ISAC members, as a resource to assist with the application and advancement of cybersecurity policies. The policy templates are provided courtesy of the SANS Institute (https://www. sans.org/), the State of New York, and the State of California. The templates can be customized and used as an outline of an organizational policy, with additional details to be added by the end user. The NCSR question set represents the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This guide gives the correlation between 49 of the NIST CSF subcategories, and applicable policy and standard templates. A NIST subcategory is represented by text, such as “ID.AM-5.” This represents the NIST function of Identify and the category of Asset Management. For additional information on services provided by the Multi-State Information Sharing & Analysis Center (MS-ISAC), please refer to the following page: https://www.cisecurity. org/ms-isac/services/. These policy templates are also mapped to the resources MS-ISAC and CIS provide, open source resources, and free FedVTE training: https://www.cisecurity. org/wp-content/uploads/2019/11/Cybersecurity-Resources-Guide.pdf. Disclaimer: These policies may not reference the most recent applicable NIST revision, however may be used as a baseline template for end users.Introduction cisecurity.org/ms-isac/Page 2 of 15 NIST FUNCTION: Identify Identify: Asset Management (ID.AM) ID.AM-1 Physical devices and systems within the organization are inventoried. ↗Acceptable Use of Information Technology Resource Policy Access Control Policy Account Management/Access Control Standard Identification and Authentication Policy Information Security Policy Security Assessment and Authorization Policy Security Awareness and Training Policy ID.AM-2 Software platforms and applications within the organization are inventoried. Acceptable Use of Information Technology Resource Policy Access Control Policy Account Management/Access Control Standard Identification and Authentication Policy Information Security Policy Security Assessment and Authorization Policy Security Awareness and Training Policy ID.AM-4 External information systems are catalogued. System and Communications Protection Policy ID.AM-5 Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value). SANS Policy Template: Acquisition Assessment Policy Information Classification Standard Information Security Policy ID.AM-6 Cybersecurity roles and responsibilities for the entire workforces and third-party stakeholders (e.g. suppliers, customers, partners) are established. Acceptable Use of Information Technology Resource Policy Information Security Policy