Distribution Statement A: Approved for Public Release; Distribution is Unlimited 35
CRR Goal and Practice [CERT-RMM
Reference]
NIST CSF Category/ Subcategory
Asset Management
Resource Guide
Reference
Goal 3: The relationship between
assets and the services they support is
—
1. Are the associations between assets
and the critical service they support
documented? [ADM:SG2.SP1]
ID.BE-4: Dependencies and critical functions for delivery of
critical services are established.
Section V, Step 3
2. Are confidentiality, integrity, and
availability requirements established for
each service-related asset?
[RRD:SG2.SP1]
ID.BE-5: Resilience requirements to support delivery of critical
services are established.
ID.GV-3: Legal and regulatory requirements regarding
cybersecurity, including privacy and civil liberties obligations,
are understood and managed.
Section V, Step 3
Goal 4: The asset inventory is
—
1. Have change criteria been established
for asset descriptions? [ADM:SG3.SP1]
ID.AM: The data, personnel, devices, systems, and facilities
that enable the organization to achieve business purposes are
identified and managed consistent with their relative
importance to business objectives and the organization’s risk
strategy.
Section VI, Step 1
2. Are asset descriptions updated when
changes to assets occur?
[ADM:SG3.SP2]
ID.AM: The data, personnel, devices, systems, and facilities
that enable the organization to achieve business purposes are
identified and managed consistent with their relative
importance to business objectives and the organization’s risk
strategy.
Section VI, Step 4
Goal 5: Access to assets is managed.
1. Is access to assets granted based on
their protection requirements?
[AM:SG1.SP1]
PR.AC-1: Identities and credentials are managed for
authorized devices and users.
PR.AC-2: Physical access to assets is managed and
protected.
PR.AC-3: Remote access is managed.
Section IV, Step 3
2. Are access requests reviewed and
approved by the asset owner?
[AM:SG1.SP1]
PR.AC-1: Identities and credentials are managed for
authorized devices and users.
PR.AC-2: Physical access to assets is managed and
protected.
PR.AC-3: Remote access is managed.
Section IV, Step 3
3. Are access privileges reviewed to
identify excessive or inappropriate
privileges? [AM:SG1.SP3]
PR.AC: Access to assets and associated facilities is limited to
authorized users, processes, or devices, and to authorized
activities and transactions.
Section IV, Step 3
4. Are access privileges modified as a
result of reviews? [AM:SG1.SP3]
PR.AC: Access to assets and associated facilities is limited to
authorized users, processes, or devices, and to authorized
activities and transactions.
Section IV, Step 3
Goal 6: Information assets are
categorized and managed to ensure
the sustainment and protection of the
—
1. Are information assets categorized
based on sensitivity and potential impact
to the critical service (such as public,
internal use only, secret)? [KIM:SG1.SP2]
PR.DS: Information and records (data) are managed
consistent with the organization’s risk strategy to protect the
confidentiality, integrity, and availability of information.
Section IV, Step 3
2. Is the categorization of information
assets monitored and enforced?
PR.DS: Information and records (data) are managed
consistent with the organization’s risk strategy to protect the
confidentiality, integrity, and availability of information.
Section IV, Step 3
3. Are there policies and procedures for
the proper labeling and handling of
information assets? [KIM:SG1.SP2]
PR.DS: Information and records (data) are managed
consistent with the organization’s risk strategy to protect the
confidentiality, integrity, and availability of information.
Section VI, Step 3