CERT Resilience Management Model(CERT -RMM) V1.1: NIST SpecialPublication Crosswalk Version 1Kevin G. PartridgeLisa R. YoungNovember 2011TECHNICAL NOTECMU/SEI-2011-TN-028 CERT ProgramUnlimited distribution subject to the copyright.http://www.sei.cmu.edu
Copyright 2012 Carnegie Mellon University.This material is based upon work funded and supported by the United States Department of Homeland Security underContract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software EngineeringInstitute, a federally funded research and development center sponsored by the United States Department of Defense.Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and donot necessarily reflect the views of United States Department of Homeland Security or the United States Department ofDefense.This report was prepared for theContracting OfficerESC/CAA20 Shilling CircleBuilding 1305, 3rd FloorHanscom AFB, MA 01731-2125THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL ISFURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANYKIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTSOBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANYWARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHTINFRINGEMENT.This material has been approved for public release and unlimited distribution except as restricted below.Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use isgranted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written orelectronic form without requesting formal permission. Permission is required for any other external and/or commercialuse. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. *CERT, CERT Resilience Measurement Model, CERT-RMM, and CMMI are registered in the U.S. Patent andTrademark Office by Carnegie Mellon University.These restrictions do not apply to U.S. government entities.SEI markings v3.2 / 30 August 2011
Table of ContentsAbstractiii1Introduction1.1 CERT-RMM Description, Features, and Benefits1.2 CERT-RMM Structure in Relation to NIST Guidelines1122NIST Publications2.1 NIST SP 800-182.2 NIST SP 800-302.3 NIST SP 800-342.4 NIST SP 800-372.5 NIST SP 800-392.6 NIST SP 800-532.7 NIST SP 800-53A2.8 NIST SP 800-552.9 NIST SP 800-602.10 NIST SP 800-612.11 NIST SP 800-702.12 NIST SP 800-13744444555556663CERT-RMM Crosswalk of NIST 800-Series Special Publications7References26CMU/SEI-2011-TN-028 i
CMU/SEI-2011-TN-028 ii
AbstractThe CERT Resilience Management Model (CERT -RMM) allows organizations to determinehow their current practices support their desired levels of process maturity and improvement. Thistechnical note maps CERT-RMM process areas to certain National Institute of Standards andTechnology (NIST) special publications in the 800 series. It aligns the tactical practices suggestedin the NIST publications to the process areas that describe management of operational resilienceat a process level. This technical note is an extension of the CERT-RMM Code of PracticeCrosswalk, Commercial Version (CMU/SEI-2011-TN-012).CMU/SEI-2011-TN-028 iii
CMU/SEI-2011-TN-028 iv
1 IntroductionOrganizations can use the CERT Resilience Management Model (CERT -RMM) V1.1 todetermine how their current practices support their desired level of process maturity in thedomains of security planning and management, business continuity and disaster recovery, and IToperations and service delivery. This technical note supplements and is a follow-on to the CERTRMM Code of Practice Crosswalk, Commercial Version (CMU/SEI-2011-TN-012). This followon crosswalk connects CERT-RMM process areas to a focused set of National Institute ofStandards and Technology (NIST) special publications in the 800 series.This document helps to achieve a primary goal of CERT-RMM, which is to allow its adopters tocontinue to use preferred standards and codes of practice at a tactical level while maturingmanagement and improvement of operational resilience at a process level. This document provides a reference for adopters of the model to determine how their current deployment of practicessupports their desired level of process maturity and improvement.The CERT-RMM process areas and the guidance within these NIST special publications arealigned only by subject matter. The materials often conflict, both in their level of detail andintended usage. Many of the NIST documents are very specific and provide direct operationalguidance. These special publications are more prescriptive than the associated CERT-RMMspecific practices. Where this is the case, this crosswalk aligns them according to their sharedsubject matter. It is not intended to provide a direct mapping of each step in the NIST bestpractices to each CERT-RMM specific practice and subpractice.Some of the NIST special publications detail process requirements. These are much more closelyand directly aligned with CERT-RMM goals and practices. In this case the alignment is obvious.However, a NIST special publication may not completely cover the goals or specific practiceswithin a process area, but it may provide a component or subset of the related requirements at thegoal or practice level. The crosswalk does not reflect the discontinuities at this level. It showsonly the affinity between certain NIST 800-series special publications and CERT-RMM goals andpractices according to their shared subject matter and focus.This technical note shows the areas of overlap and redundancy between CERT-RMM processareas and the guidance in the NIST special publications, but it also shows the gaps that may affectthe maturity of a practice. The CERT-RMM provides a reference model that allows organizationsto make sense of their practices in a process context and improve processes and effectiveness.This crosswalk can help organizations align NIST practices to CERT-RMM process improvementgoals.1.1CERT-RMM Description, Features, and BenefitsCERT-RMM V1.1 is a capability maturity model for managing operational resilience. It has twoprimary objectives: CERT is a registered mark owned by Carnegie Mellon University.CMU/SEI-2011-TN-028 1
Establish the convergence of operational risk and resilience management activities (securityplanning and management, business continuity, IT operations, and service delivery) into asingle model. Apply a process improvement approach to operational resilience management by definingand applying a capability scale expressed in increasing levels of process maturity.CERT-RMM has the following features and benefits: provides a process definition, expressed in 26 process areas across four categories: enterprisemanagement, engineering, operations, and process management focuses on the resilience of four essential operational assets: people, information,technology, and facilities includes processes and practices that define a scale of four capability levels for each processarea: incomplete, performed, managed, and defined serves as a meta-model that easily coexists with and references common codes of practice,such as the NIST special publications 800 series, the International Organization forStandards (ISO) and International Electrotechnical Commission (IEC) 27000 series, COBIT,the British Standards Institution’s BS 25999, and ISO 24762 includes quantitative process measurements that can be used to ensure operational resilienceprocesses are performing as intended facilitates an objective measurement of capability levels via a structured and repeatableappraisal methodology extends the process improvement and maturity pedigree of Capability Maturity ModelIntegration (CMMI ) to assurance, security, and service continuity activitiesA copy of the current version of CERT-RMM can be obtained RMM Structure in Relation to NIST GuidelinesCERT-RMM has several key components. The process area forms the major structural element inthe model. Each process area has a series of descriptive components.CERT-RMM refers to two types of practices: specific practices and subpractices. To make use ofthis crosswalk, it is important to understand the distinctions among these types of practices andthe practices contained in common codes of practice.1.2.1Process AreaCERT-RMM comprises 26 process areas. Each process area describes a functional area ofcompetency. In aggregate, these 26 process areas define the operational resilience managementsystem. Process areas comprise goals, each achieved through specific practices, which arethemselves broken down into subpractices. CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.CMU/SEI-2011-TN-028 2
GoalsEach process area has a set of goals. Goals are required elements of the process area, and theydefine its target accomplishments. An example of a goal from the Service Continuity process areais “SC:SG1 Prepare for Service Continuity.”Generic goals are defined within individual process areas and pertain to elements that are relevantacross all process areas. Their degree of achievement indicates a process’s level ofinstitutionalization. Achievement of a generic goal is an indicator that the associated practiceshave been implemented across the process area. These goals ensure that the process area will beeffective, repeatable, and lasting.The crosswalk itself could be described as mapping strictly across Generic Goal 1, “AchieveSpecific Goals.” This crosswalk is not intended to map NIST special publication guidelines acrossall generic goals or assert that a special publication helps an organization achieve any particularcapability or maturity rating.Specific PracticesEach process area goal has its own specific practices. Specific practices constitute a process area’sbase practices, reflect its body of knowledge, and express what must be done. An example of aspecific practice from the Service Continuity process area is “SC:SG1.SP1 Plan for ServiceContinuity,” which supports the goal “SC:SG1 Prepare for Service Continuity.”SubpracticesSpecific practices break down into subpractices. Subpractices are informative elements associatedwith each specific practice. These subpractices can often be related to specific process workproducts. Where specific practices focus on what must be done, subpractices focus on how it mustbe done. While not overly prescriptive or detailed, subpractices help the user determine how tosatisfy the specific practices and achieve the goals of the process area. Each organization willhave its own subpractices, either organically or by acquiring them from a code of practice.Subpractices can be linked to the best practices and implementation guidance found in the NIST800-series special publications. Subpractice instructions are usually broad, but many of the specialpublication guidelines can be definitive. For example, a subpractice may suggest that the user “setpassword standards and guidelines,” but a special publication may state that “passwords should bechanged at 90-day intervals.”CMU/SEI-2011-TN-028 3
2 NIST PublicationsThis section details the NIST 800-series special publications that are referenced in this document.The authors of this technical note chose these publications, which focus on IT security, for theirutility within the Federal Information Security Management Act (FISMA) process as it isgenerally interpreted and because they cover a broad spectrum of FISMA requirements.Beginning with NIST SP 800-18, the publications provide guidance on security plandevelopment. Each subsequent publication builds toward more specific guidance andrequirements for a security program. The last three publications cover auxiliary topics impactingthe risk management framework.This section includes information on obtaining copies of each code of practice, which are freelyavailable from the NIST website at http://csrc.nist.gov/publications/PubsSPs.html. NIST and theU.S. Department of Commerce retain all rights to and copyright of the NIST publications.2.1NIST SP 800-18NIST Special Publication 800-18 Revision 1: Guide for Developing Security Plans for FederalInformation Systems [NIST 2006] describes the development of security requirements and theimplementation of controls based upon those requirements. The current standard is version 1. Itcan be downloaded at Rev1/sp800-18-Rev1final.pdf.2.2NIST SP 800-30NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems[NIST 2002] covers risk calculation and management methodology. It is particularly orientedtoward the management of risk in conjunction with an accreditation program. The currentstandard is version 1. It can be downloaded at p800-30.pdf.2.3NIST SP 800-34NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal InformationSystems [NIST 2010a] provides best practices for contingency plan development. It is arecommended guide for federal systems. The guidance provides a baseline of contingency planpractices. It also describes the interrelated, individual contingency plans and their roles in thesystem development lifecycle (SDLC). The publication discusses the integration of variousrequirements, including Federal Information Processing Standards (FIPS) Publication 199 andNIST Special Publication 800-53. The current standard is version 1. It can be downloaded 4-rev1/sp800-34-rev1 errata-Nov11-2010.pdf.2.4NIST SP 800-37NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk ManagementFramework to Federal Information Systems: A Security Life Cycle Approach [NIST 2010b]CMU/SEI-2011-TN-028 4
provides guidance for federal information systems and the application of the Risk ManagementFramework. The current standard is version 1. It can be downloaded 7-rev1/sp800-37-rev1-final.pdf.2.5NIST SP 800-39NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission,and Information System View [NIST 2011a] is the core document for integration of the NISTapproach to risk management into a comprehensive Enterprise Risk Management (ERM)program. Developed in response to FISMA, SP 800-39 provides guidance on developing acomprehensive risk management program that includes all aspects of operations. Other, morefocused NIST special publications support this guidance. The current standard is version 1. It canbe downloaded at SP800-39-final.pdf.2.6NIST SP 800-53NIST Special Publications 800-53 Revision 3, Recommended Security Controls for FederalInformation Systems and Organizations [NIST 2009] comprises a selection of security controlsfor executive federal agencies. These guidelines are pertinent to all system components thatprocess federal information. The current standard is version 1. It can be downloaded 3-Rev3/sp800-53-rev3-final updated-errata 0501-2010.pdf.2.7NIST SP 800-53ANIST Special Publication 800-53A Revision 1, Guide for Assessing the Security Controls inFederal Information Systems and Organizations: Building Effective Security Assessment Plans[NIST 2008a] details a process for assessing the effectiveness and appropriateness of the securitycontrols deployed by a federal organization. The current standard is version 1. It can bedownloaded at /SP800-53A-final-sz.pdf.2.8NIST SP 800-55NIST Special Publication 800-55 Revision 1, Performance Measurement Guide for InformationSecurity [NIST 2008b] provides guidance on the development of measures to describe thefunctioning of an organization’s security program, as well as guidance on the subsequentdevelopment of controls. The publication considers various mandates and requirements, includingFISMA. The current standard is version 1. It can be downloaded 5-Rev1/SP800-55-rev1.pdf.2.9NIST SP 800-60NIST Special Publication 800-60 Volume I, Revision 1, Guide for Mapping Types of Informationand Information Systems to Security Categories [NIST 2008c] and Volume II, Appendices [NIST2008d] provide guidelines for system owners mapping the sensitivity and criticality of theirsystems according to FISMA requirements. The current standard is version 1. They can bedownloaded at rev1/SP800-60 Vol1-Rev1.pdfand rev1/SP800-60 Vol2-Rev1.pdf.CMU/SEI-2011-TN-028 5
2.10 NIST SP 800-61NIST Standard Publication 800-61 Revision 1, Computer Security Incident Handling Guide[NIST 2008e] provides guidance for the appropriate handling of computer security incidents. Thepublication also contains guidance for implementing a tailored incident handling program. Thecurrent standard is version 1.2.1. It can be downloaded 1-rev1/SP800-61rev1.pdf.2.11 NIST SP 800-70NIST Special Publication 800-70 Revision 2, National Checklist Program for IT Products—Guidelines for Checklist Users and Developers [NIST 2011b] is an index to the NationalChecklist Program’s repository of checklists. It also provides guidance on the associated policiesof the National Checklist Program. The current standard is version 1. It can be downloaded 0-rev2/SP800-70-rev2.pdf.2.12 NIST SP 800-137NIST Special Publication 800-137 Initial Public Draft (IPD), Information Security ContinuousMonitoring for Federal Information Systems and Organizations [NIST 2010c] comprises theNIST guidance for development and implementation of a continuous monitoring strategy. Theguidance broadly focuses on awareness of threats and vulnerabilities, as well as the controlsdeployed against those vulnerabilities. The publication discusses a continuous strategy thatbalances risk, awareness, and response capability. The draft publication used for this crosswalk isno longer available and has been replaced by the final version 1.CMU/SEI-2011-TN-028 6
3 CERT-RMM Crosswalk of NIST 800-Series Special PublicationsCERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1ADM – Asset Definition and ManagementADM:SG1 Establish Organizational AssetsADM:SG1.SP1 Inventory AssetsADM:SG1.SP2 Establish a Common UnderstandingADM:SG1.SP3 Establish Ownership and CustodianshipADM:SG2 Establish the Relationship Between Assets and ServicesADM:SG2.SP1 Associate Assets with Services800-30800-34Rev. 1800-37Rev. 1800-392.31.72.32.32.12.32.6.2800-53Rev. 3CM-8PE-8PL-2PM-5RA-2PL-4800-55Rev. 1800-60Vol. 1Rev.1800-61Rev. 1800-70Rev. 2800137(IPD)3.13.12.4PM-11RA-2ADM:SG2.SP2 Analyze Asset-Service DependenciesADM:SG3 Manage AssetsADM:SG3.SP1 Identify Change CriteriaADM:SG3.SP2 Maintain Changes to Assets and InventoryAM – Access ManagementAM:SG1 Manage and Control AccessAM:SG1.SP1 Enable Access80053ARev. 12.1.12.1.1CMU/SEI-2011-TN-028 6PL-2SA-7SC-2SI-9SI-11
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1AM:SG1.SP2 Manage Changes to Access PrivilegesAM:SG1.SP3 Periodically Review and Maintain Access PrivilegesAM:SG1.SP4 Correct Inconsistencies800-37Rev. 1800-39800-53Rev. 380053ARev. 1COMP – ComplianceCOMP:SG1 Prepare for Compliance ManagementCOMP:SG1.SP1 Establish a Compliance PlanCOMP:SG1.SP2 Establish a Compliance ProgramCOMP:SG1.SP3 Establish Compliance Guidelines and StandardsCMU/SEI-2011-TN-028 8COMP:SG2 Establish Compliance ObligationsCOMP:SG2.SP1 Identify Compliance ObligationsCOMP:SG2.SP2 Analyze ObligationsCOMP:SG2.SP3 Establish Ownership for Meeting ObligationsCOMP:SG3 Demonstrate Satisfaction of Compliance ObligationsCOMP:SG3.SP1 Collect and Validate Compliance DataCOMP:SG3.SP2 Demonstrate the Extent of Compliance ObligationSatisfaction800-60Vol. 1Rev.1800-61Rev. 1800-70Rev. 2800137(IPD)AC-2AC-2AC-2COMM – CommunicationsCOMM:SG1 Prepare for Resilience CommunicationsCOMM:SG1.SP1 Identify Relevant StakeholdersCOMM:SG1.SP2 Identify Communications RequirementsCOMM:SG1.SP3 Establish Communications Guidelines andStandardsCOMM:SG2 Prepare for Communications ManagementCOMM:SG2.SP1 Establish a Resilience Communications PlanCOMM:SG2.SP2 Establish a Resilience Communications ProgramCOMM:SG2.SP3 Identify and Assign Plan StaffCOMM:SG3 Deliver Resilience CommunicationsCOMM:SG3.SP1 Identify Communications Methods and ChannelsCOMM-3.SP2 Establish and Maintain CommunicationsInfrastructureCOMM:SG4 Improve CommunicationsCOMM:SG4.SP1 Assess Communications EffectivenessCOMM:SG4.SP2 Improve Communications800-55Rev. 6AU-7AU-11PL-62.23.1.23.1.2
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1800-37Rev. 1COMP:SG3.SP3 Remediate Areas of Non-ComplianceCOMP:SG4 Monitor Compliance ActivitiesCOMP:SG4.SP1 Evaluate Compliance ActivitiesCTRL – Controls ManagementCTRL:SG1 Establish Control ObjectivesCTRL:SG1.SP1 Define Control ObjectivesCTRL:SG2 Establish ControlsCTRL:SG2.SP1 Define Controls3.42.43.42.4Task 2-1Task 2-2CTRL:SG4 Assess Control EffectivenessCTRL:SG4.SP1 Assess ControlsCMU/SEI-2011-TN-028 9EC:SG2.SP2 Establish and Implement ControlsEC:SG3 Manage Facility Asset RiskEC:SG3.SP1 Identify and Assess Facility Asset Risk800-53Rev. 380053ARev. 1800-55Rev. 1800-60Vol. 1Rev.1800-61Rev. 1800-70Rev. 2800137(IPD)PL-6CTRL: SG3 Analyze ControlsCTRL:SG3.SP1 Analyze ControlsEC – Environmental ControlEC:SG1 Establish and Prioritize Facility AssetsEC:SG1.SP1 Prioritize Facility AssetsEC:SG1.SP2 Establish Resilience-Focused Facility AssetsEC:SG2 Protect Facility AssetsEC:SG2.SP1 Assign Resilience Requirements to Facility Assets800-393.13.2.12.33.1.2PM-73.1.2Task 2-1Task 2-3Task 3-1App. G3.2.13.2.22.23.1.1Task 4-1Task 4-2Task 4-3Task 4-4Task 6-2Task PE-13PE-17PE-18PE-7PE-8PE-16PM-73.133.13.1.2
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1EC:SG3.SP2 Mitigate Facility RisksEC:SG4 Control Operational EnvironmentEC:SG4.SP1 Perform Facility Sustainability Planning3.2EC:SG4.SP3 Manage Dependencies on Public ServicesEC:SG4.SP4 Manage Dependencies on Public InfrastructureEC:SG4.SP5 Plan for Facility RetirementEF:SG2 Plan for Operational ResilienceEF:SG2.SP1 Establish an Operational Resilience Management PlanCMU/SEI-2011-TN-028 10EF:SG2.SP2 Establish an Operational Resilience ManagementProgramEF:SG3 Establish SponsorshipEF:SG3.SP1 Commit Funding for Operational ResilienceManagementEF:SG3.SP2 Promote a Resilience-Aware CultureEF:SG3.SP3 Sponsor Resilience Standards and PoliciesEF:SG4 Provide Resilience OversightEF:SG4.SP1 Establish Resilience as a Governance Focus AreaEF:SG4.SP2 Perform Resilience Oversight800-39800-53Rev. 380053ARev. 1800-55Rev. 1800-60Vol. 1Rev.1PM-4PM-7EC:SG4.SP2 Maintain Environmental ConditionsEF – Enterprise FocusEF:SG1 Establish Strategic ObjectivesEF:SG1.SP1 Establish Strategic ObjectivesEF:SG1.SP2 Establish Critical Success FactorsEF:SG1.SP3 Establish Organizational Services800-37Rev. 1800-61Rev. 1800-70Rev. 1PM-4PM-3PL-1CA-6PL-1PL-23.13.3.2
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1800-37Rev. 1800-39800-53Rev. 380053ARev. 1800-55Rev. 1800-60Vol. 1Rev.1800-61Rev. 1800-70Rev. 2800137(IPD)PM-6EF:SG4.SP3 Establish Corrective Actions6.3EXD – External DependenciesEXD:SG1 Identify and Prioritize External DependenciesEXD:SG1.SP1 Identify External DependenciesEXD:SG1.SP2 Prioritize External DependenciesEXD:SG2 Manage Risks Due to External DependenciesEXD:SG2.SP1 Identify and Assess Risks Due to ExternalDependenciesEXD:SG2.SP2 Mitigate Risks Due to External DependenciesEXD:SG3 Establish Formal RelationshipsEXD:SG3.SP1 Establish Enterprise Specifications for ExternalDependenciesEXD:SG3.SP2 Establish Resilience Specifications for ExternalDependenciesEXD:SG3.SP3 Evaluate and Select External EntitiesEXD:SG3.SP4 Formalize RelationshipsCMU/SEI-2011-TN-028 11EXD:SG4 Manage External Entity PerformanceEXD:SG4.SP1 Monitor External Entity PerformanceEXD:SG4.SP2 Correct External Entity PerformanceFRM – Financial Resource ManagementFRM:SG1 Establish Financial CommitmentFRM:SG1.SP1 Commit Funding for Operational ResilienceManagementFRM:SG1.SP2 Establish Structure to Support Financial A-12SA-13SA-3SA-12S
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesFRM:SG2 Perform Financial PlanningFRM:SG2.SP1 Define Funding NeedsFRM:SG2.SP2 Establish Resilience BudgetsFRM:SG2.SP3 Resolve Funding GapsFRM:SG3 Fund Resilience ActivitiesFRM:SG3.SP1 Fund Resilience ActivitiesFRM:SG4 Account for Resilience ActivitiesFRM:SG4.SP1 Track and Document CostsFRM:SG4.SP2 Perform Cost and Performance AnalysisFRM:SG5 Optimize Resilience Expenditures and InvestmentsFRM:SG5.SP1 Optimize Resilience ExpendituresFRM:SG5.SP2 Determine Return on Resilience InvestmentsFRM:SG5.SP3 Identify Cost Recovery OpportunitiesCMU/SEI-2011-TN-028 12HRM – Human Resource ManagementHRM:SG1 Establish Resource NeedsHRM:SG1.SP1 Establish Baseline CompetenciesHRM:SG1.SP2 Inventory Skills and Identify GapsHRM:SG1.SP3 Address Skill DeficienciesHRM:SG2 Manage Staff AcquisitionHRM:SG2.SP1 Verify Suitability of Candidate StaffHRM:SG2.SP2 Establish Terms and Conditions of EmploymentHRM:SG3 Manage Staff PerformanceHRM:SG3.SP1 Establish Resilience as a Job ResponsibilityHRM:SG3.SP2 Establish Resilience Performance Goals andObjectivesHRM:SG3.SP3 Measure and Assess PerformanceHRM:SG3.SP4 Establish Disciplinary ProcessHRM:SG4 Manage Changes to Employment StatusHRM:SG4.SP1 Manage Impact of Position ChangesHRM:SG4.SP2 Manage Access to AssetsHRM:SG4.SP3 Manage Involuntary TerminationsID – Identity ManagementID:SG1 Establish IdentitiesID:SG1.SP1 Create IdentitiesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1800-37Rev. 1800-39800-53Rev. 380053ARev. 1800-55Rev. 1800-60Vol. 1Rev.1800-61Rev. 1800-70Rev. A-2IA-4PE-22.4.22.4.2
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1ID:SG1.SP2 Establish Identity CommunityID:SG2 Manage IdentitiesID:SG2.SP1 Monitor and Manage Identity ChangesID:SG2.SP2 Periodically Review and Maintain IdentitiesID:SG2.SP3 Correct InconsistenciesID:SG2.SP4 Deprovision IdentitiesIMC:SG1.SP2 Assign Staff to the Incident Management PlanCMU/SEI-2011-TN-028 13IMC:SG2.SP3 Collect, Document, and Preserve Event Evidence800-53Rev. 380053ARev. 1800-55Rev. 1800-60Vol. 1Rev.1800-61Rev. 1800-70Rev. 2800137(IPD)2.4AC-2AC-2AC-2AC-2IMC – Incident Management and ControlIMC:SG1 Establish the Incident Management and Control ProcessIMC:SG1.SP1 Plan for Incident ManagementIMC:SG2.SP2 Log and Track A-4PE-2ID:SG1.SP3 Assign Roles to IdentitiesIMC:SG2 Detect EventsIMC:SG2.SP1 Detect and Report Events800-37Rev. 3.4.23.4.34.4.25.4.26.4.22.1.3
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30800-34Rev. 1800-37Rev. 1IMC:SG2.SP4 Analyze and Triage EventsIMC:SG3 Declare IncidentsIMC:SG3.SP1 Define and Maintain Incident Declaration CriteriaIMC:SG3.SP2 Analyze Incidents80053ARev. 1800-55Rev. 1800-60Vol. 1Rev.1800-61Rev. 56782.3.43.2.73.4IR-4CMU/SEI-2011-TN-028 14IMC:SG4.SP4 Close IncidentsIMC:SG5 Establish Incident LearningIMC:SG5.SP1 Perform Post-Incident ReviewIMC:SG5.SP2 Integrate with the Problem Management ProcessIMC:SG5.SP3 Translate Experience to StrategyIR-4IR-4IR-4IR-4KIM – Knowledge and Information ManagementKIM:SG1 Establish and Prioritize Information AssetsKIM:SG1.SP1 Prioritize Information AssetsKIM:SG1.SP2 Categorize Information 21SC-2800137(IPD)3.3.43.1.1IR-44.2.2800-70Rev. 23.2.64.35.36.37.38.24.2.1IMC:SG4.SP2 Develop Incident ResponseKIM:SG2 Protect Information AssetsKIM:SG2.SP1 Assign Resilience Requirements to Information Assets800-53Rev. 3IR-4IMC:SG4 Respond to and Recover from IncidentsIMC:SG4.SP1 Escalate IncidentsIMC:SG4.SP3 Communicate Incidents800-393.1.143.13.1.24
CERT-RMM V1.1Process Areas, Goals, and Specific PracticesNIST Special Publication Section Numbers (Control Numbers for 800-53 Rev. 3)800-18Rev.1800-30KIM:SG2.
2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7
Crosswalk High Visibility Crosswalk 3,070 2,540 600 5,710 Each 4(4) Crosswalk Striped Crosswalk 340 770 110 2,090 Each 8 (8) Crosswalk Striped Crosswalk 5.87 8.51 1.03 26 Linear Ft 12 (48) Crosswalk Striped Crosswalk 6.32 7.38 1.06 31 Sq Ft 5 (15) MARKED CROSSWALKS AND ENHANCEMENTS - COST
Crosswalk 2017 Edition The CMS Compliance Crosswalk 2017 Edition The CMS Compliance Crosswalk, 2017 Edition, is the latest and greatest edition of HCPro’s highly regarded accreditation crosswalk. This book shows you how to comply with each Condition of Participation (CoP) set forth by CMS and highlights which
CERT C Coding Standard The CERT C Secure Coding Standard was developed at the request of, and in concert with, the C Standards Committee. The 1st edition (a/ka/ CERT C:2008) was published in 14 October 2008. The 2nd edition of The CERT C Coding Standard (a/k/a CERT C:2014) was published in 2014. updated to support C11
CERT Basic Training. Course instructors in any capacity. Note: Individuals who conduct only one or two of the units may do so without taking the . CERT T-T-T. Course. However, the . CERT T-T-T. Course would give them a necessary overview of the . CERT Basic Training. Course as well as improve their instructional skills. PREREQUISITES
Service Encounter Reporting Instructions (SERI) 2013 Code Change Crosswalk 3/26/2013 1 of 8. 2013 CPT Code Crosswalk (All NEW codes are effective 1/1/2013) Modality New Code Previous Code Previous Code Description Previous Code 2013 Status New Code Description Report w/ 90785 Interactive
In New Jersey, vehicles must stop for a pedestrian within a marked crosswalk but must only yield the right-of-way to pedestrians crossing within any unmarked crosswalk at an intersection. Nineteen states put the burden on vehicles to stop and yield if a pedestrian is located anywhere in the roadway.
Page 1 of 12 Sixth Grade Social Studies Crosswalk World Geography, History & Culture: Patterns of Continuity and Change Beginnings of Human Society to the Emergence of the First Global Age (1450) This crosswalk document compares the 2010 K-12 Social Studies Essential Standards and the 2006 North Carolina Social Studies Standard Course of Study (SCOS) and provides some insight into the .
accounting purposes, and are rarely designed to have a voting equity class possessing the power to direct the activities of the entity, they are generally VIEs. The investments or other interests that will absorb portions of a VIE’s expected losses or receive portions of its expected residual returns are called variable interests. In February 2015, the Financial Accounting Standards Board .