opexxx/Identify

## Identify
Asset Management
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Business Environment
ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
Governance
ID.GV-1: Organizational information security policy is established
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
ID.GV-4: Governance and risk management processes address cybersecurity risks
Risk Assessment
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
Risk Management Strategy
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Supply Chain Management
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
ID.SC-2: Identify, prioritize and assess suppliers and third-party partners of information systems, components and services using a cyber supply chain risk assessment process
ID.SC-3: Suppliers and 3rd-party partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan
ID.SC-4: Suppliers and 3rd-party partners are routinely assessed to confirm that they are meeting their contractual obligations. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
	Asset Management
	ID.AM-1: Physical devices and systems within the organization are inventoried
	ID.AM-2: Software platforms and applications within the organization are inventoried
	ID.AM-3: Organizational communication and data flows are mapped
	ID.AM-4: External information systems are catalogued
	ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value
	ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
	Business Environment
	ID.BE-1: The organization’s role in the supply chain is identified and communicated
	ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
	ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
	ID.BE-4: Dependencies and critical functions for delivery of critical services are established
	ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
	Governance
	ID.GV-1: Organizational information security policy is established
	ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
	ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
	ID.GV-4: Governance and risk management processes address cybersecurity risks
	Risk Assessment
	ID.RA-1: Asset vulnerabilities are identified and documented
	ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
	ID.RA-3: Threats, both internal and external, are identified and documented
	ID.RA-4: Potential business impacts and likelihoods are identified
	ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
	ID.RA-6: Risk responses are identified and prioritized
	Risk Management Strategy
	ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
	ID.RM-2: Organizational risk tolerance is determined and clearly expressed
	ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
	Supply Chain Management
	ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
	ID.SC-2: Identify, prioritize and assess suppliers and third-party partners of information systems, components and services using a cyber supply chain risk assessment process
	ID.SC-3: Suppliers and 3rd-party partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan
	ID.SC-4: Suppliers and 3rd-party partners are routinely assessed to confirm that they are meeting their contractual obligations. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted
	ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers