{ "cyb-010": [{"Identifier": "CYB.010.010","Activity": "Mission Systems Identification","Description": "Clearly and quickly identify High Value Assets (HVA), Mission Critical and/or Mission essential system components in security monitoring systems to include IP addresses, host name, and functional owner."},{"Identifier": "CYB.010.020","Activity": "Asset Inventory","Description": "Define all (including SOC) systems and data within the organization."}], "cyb-020": [{"Identifier": "CYB.020.010","Activity": "Risk Assessment","Description": "Conduct periodical risk assessments (RA) of organization's systems, and report on the results, in order to improve the security posture of the organization."},{"Identifier": "CYB.020.020","Activity": "Insider Threat","Description": "Provide awareness & training; analysis, and assessment capabilities to the organization's insider threat program in order to counter insider threats."},{"Identifier": "CYB.020.030","Activity": "Cyber Threat Intelligence","Description": "Cyber Threat intelligence is aggregated, transformed, analyzed, interpreted, or enriched to provide the actionable information for decision-making processes."}], "cyb-030": [{"Identifier": "CYB.030.010","Activity": "Coordination","Description": "Activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors)."},{"Identifier": "CYB.030.020","Activity": "Communications","Description": "Communicate activities across the organization in order to quickly disseminate the right information to the right people at the right time."},{"Identifier": "CYB.030.030","Activity": "Continuous Improvement","Description": "Planning and processes are improved by incorporating lessons learned into future activities."},{"Identifier": "CYB.030.040","Activity": "Response Planning","Description": "Response processes and procedures are maintained, to ensure response to detected cybersecurity incidents."},{"Identifier": "CYB.030.050","Activity": "Information Sharing","Description": "Maintain relations between organizational and federal experts in order to share relevant and needed information."},{"Identifier": "CYB.030.060","Activity": "Monitoring and Response Prioritization","Description": "Prioritize mission systems and data in security monitoring and incident response systems."},{"Identifier": "CYB.030.070","Activity": "Supply Chain Risk Management","Description": "Consistent cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by component stakeholders."}], "cyb-040": [{"Identifier": "CYB.040.010","Activity": "Anti-Malware","Description": "Establish agency program in order to have enterprise-wide malware prevention."}], "cyb-050": [{"Identifier": "CYB.050.010","Activity": "Awareness","Description": "Maintain awareness of emerging technologies for SOC personnel to implement into existing tactics, techniques, and procedures."}], "cyb-060": [{"Identifier": "CYB.060.010","Activity": "Patch Management","Description": "Implement a comprehensive patch management program in order to identify, report, and correct information system flaws."},{"Identifier": "CYB.060.020","Activity": "Remediation / Mitigation","Description": "Correct problems identified by confirmed weaknesses or vulnerability assessment activities, in order to provide guidance to the organization on reducing any risk or exposure."},{"Identifier": "CYB.060.030","Activity": "Coordinated Vulnerability Disclosure","Description": "Gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public in order to reduce an adversary's advantage while an information security vulnerability is being mitigated."}], "cyb-070": [{"Identifier": "CYB.070.010","Activity": "Contingency Planning","Description": "Implement appropriate continuity measures to restore capabilities or services that were impaired due to a cybersecurity incident."}], "cyb-080": [{"Identifier": "CYB.080.010","Activity": "Data Protection","Description": "Evaluate data protection measures for consistent implementation to protect the confidentiality, integrity, and availability (CIA) across the organization."},{"Identifier": "CYB.080.020","Activity": "Application Security Testing","Description": "Conduct proactive vulnerability assessments on organizational applications and websites (including the SOC) and within the organization's prescibed timeframes."},{"Identifier": "CYB.080.030","Activity": "Application Security Development","Description": "Implement and test security features within software, applications, and ISO layer 7 information to prevent unauthorized access and modification."}], "cyb-090": [{"Identifier": "CYB.090.010","Activity": "Network, System and Data Monitoring","Description": "Continuously perform security monitoring on all networks, systems, applications and data in the organization and external environments (including cloud and websites) and other trusted sources of information owned by the organization in order to detect suspicious activity across the enterprise."},{"Identifier": "CYB.090.020","Activity": "Penetration Testing","Description": "Conduct penetration testing of organizational networks and systems to make the organization aware of weaknesses that can be similarly identified or exploited."},{"Identifier": "CYB.090.030","Activity": "Vulnerability Assessment","Description": "Conduct proactive vulnerability assessments on organizational networks and systems (including the SOC) and address findings in a timely manner in order to prevent or minimize damage to the organization."}], "cyb-100": [{"Identifier": "CYB.100.010","Activity": "Incident Analysis","Description": "Analyze incidents for accurate and quick response in order to identify the scope and nature of the incident, the involved parties, the timeframe, the relationship of the incident to other activities, and available response strategies."},{"Identifier": "CYB.100.020","Activity": "Incident Correlation","Description": "Correlate incidents for accurate and quick response in order to determine any interrelations, patterns, common intruder signatures, common targets, or exploitation of common vulnerabilities."},{"Identifier": "CYB.100.030","Activity": "Incident Reporting","Description": "Report incidents to organizational management and coordinate with the appropriate external organizations or groups, in accordance with organizational and federal requirements, in order to broaden situational awareness."},{"Identifier": "CYB.100.040","Activity": "Incident Handling","Description": "Establish incident response abilities and handle incidents efficiently and effectively, per the organization's incident response plan."},{"Identifier": "CYB.100.050","Activity": "Event Archive","Description": "Store and make available all security event and incident reporting in a central and secure repository in order for data to be used as a source for any legal/law enforcement, situational awareness, incident correlation, or other incident analysis (including fusion analysis or retrospective analysis) that may be done."}] }