Skip to main content

NIST Cybersecurity Framework Functions

Controls are mapped to the six functions of the NIST Cybersecurity Framework (CSF) 2.0. The functions organize cybersecurity outcomes at the highest level.

Govern (GV)

Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. Govern provides context for all other functions.

ControlTitleOwner
SID-ARCH-02Operator-Scope Compliance Obligationsoperator
SID-ORG-01Information Security Policyoperator
SID-ORG-02Roles, Responsibilities, and Segregation of Dutiesoperator
SID-ORG-04Supplier and Third-Party Securityoperator
SID-ORG-05Legal, Regulatory, and Contractual Complianceoperator
SID-ORG-06Wallet Service Practice Statementoperator
SID-ORG-07Terms of Service and Privacy Policyoperator
SID-OPS-05Secure Configuration Managementplatform

Identify (ID)

Understand the organization’s assets, suppliers, and related cybersecurity risks. Prioritize efforts consistent with risk management strategy and business needs.

ControlTitleOwner
SID-ARCH-01Platform Architecture Non-Applicability Registerplatform
SID-ORG-03Risk Management Frameworkoperator
SID-ORG-08Information Classification and Labellingoperator
SID-HARD-06Wallet Attestation and Environment Integrityplatform
SID-OPS-09Platform Security Documentationplatform
SID-OPS-13Operator Security Documentationoperator
SID-TRUST-01AuthZEN PDP Trust Evaluation Serviceplatform
SID-TRUST-02Multi-Registry Trust Framework Supportplatform

Protect (PR)

Implement safeguards to ensure delivery of critical services and reduce the likelihood and impact of cybersecurity events.

ControlTitleOwner
SID-ACCESS-01Multi-Tenant Isolationplatform
SID-ACCESS-02Rate Limiting and Brute-Force Protectionplatform
SID-ACCESS-03User Consent Before Credential Disclosureplatform
SID-ACCESS-04SPOCP Policy-Based Query Authorizationplatform
SID-AUTH-01FIDO2/WebAuthn Passwordless Authenticationplatform
SID-AUTH-02JWT Bearer Token Session Managementplatform
SID-AUTH-03OIDC Gate for External Identity Providersplatform
SID-AUTH-04WebSocket JWT Handshake Authenticationplatform
SID-AUTH-05Wallet Unlock, Lockout, and PIN Securityplatform
SID-AUTH-06Wallet Lifecycle Managementplatform
SID-CRYPTO-01PKCS#11 HSM Key Protectionplatform
SID-CRYPTO-02PRF Extension Key Derivationplatform
SID-CRYPTO-03AES-256-GCM Encrypted Keystoreplatform
SID-CRYPTO-04COSE Sign1 and mDOC Cryptographyplatform
SID-CRYPTO-05Secure Random Number Generationplatform
SID-DATA-01SD-JWT Selective Disclosureplatform
SID-DATA-02mDOC Element-Level Selective Disclosureplatform
SID-DATA-03Credential Revocation via Token Status Listplatform
SID-DATA-04VCTM Schema Validationplatform
SID-DATA-06PII Field Encryption for User Recordsplatform
SID-DATA-07Credential Re-issuance and Lifecycle Managementplatform
SID-DATA-08Server-Side Data Cache Protectionplatform
SID-DATA-09Runtime Memory Protectionplatform
SID-DATA-10Wallet Backup Securityplatform
SID-HARD-01Error Message Sanitizationplatform
SID-HARD-02Input Validation and Injection Preventionplatform
SID-HARD-03Network Segmentation (Separate Server Ports)platform
SID-HARD-04Secure Registration Enforcementplatform
SID-HARD-05Browser Security Controlsplatform
SID-HARD-07Resource Upload Constraintsplatform
SID-HARD-08Sensitive Data UI Protectionplatform
SID-HARD-09Application Resilience and Anti-Tamperingplatform
SID-KEY-01WSCA WebSocket Key Signing Delegationplatform
SID-KEY-02IACA Certificate Managementplatform
SID-KEY-03WSCD Client Library with rawSign APIplatform
SID-KEY-04R2PS Remote WSCD SCAL2 Complianceplatform
SID-OPS-08Secure Development Lifecycleplatform
SID-OPS-12Deployment Environment Separationoperator
SID-OPS-10Encryption-at-Rest and Secrets Managementoperator
SID-OPS-11Data Leakage Prevention — Infrastructure Controlsoperator
SID-PPL-01Personnel Screening and Onboardingoperator
SID-PPL-02Security Awareness, Education, and Trainingoperator
SID-PPL-03Confidentiality and Non-Disclosure Agreementsoperator
SID-PHY-01Data Center Physical Securityoperator
SID-PHY-02Equipment and Media Securityoperator
SID-PRIV-01Minimal Disclosure Enforcementplatform
SID-PRIV-02VP Nonce Binding (Anti-Replay)platform
SID-PRIV-03Right-to-Erasure Bulk Deletion APIplatform
SID-PRIV-04Pseudonymous Authenticationplatform
SID-TRANS-01TLS 1.2+ Minimum with Configurable Versionplatform
SID-TRANS-02OpenID4VCI Credential Issuance Protocolplatform
SID-TRANS-03OpenID4VP Credential Presentation Protocolplatform
SID-TRANS-04SSRF-Protected HTTP Clientplatform
SID-TRANS-05Operator TLS Deployment Enforcementoperator
SID-TRUST-03Issuer and Verifier Trust Gatingplatform
SID-TRUST-04Trust Decision Caching with Circuit Breakerplatform
SID-TRUST-05Relying Party Registration and Over-Request Detectionplatform

Detect (DE)

Develop and implement activities to identify the occurrence of a cybersecurity event in a timely manner.

ControlTitleOwner
SID-AUDIT-01Structured Security Event Loggingplatform
SID-AUDIT-02Privacy-Preserving Audit Event Taxonomyplatform
SID-OPS-04Vulnerability Managementplatform
SID-OPS-06Monitoring and Alertingoperator
SID-OPS-07Fraud Managementoperator
SID-PPL-04Information Security Event Reportingoperator

Respond (RS)

Take action regarding a detected cybersecurity incident to contain its impact.

ControlTitleOwner
SID-OPS-01Incident Response and Managementoperator

Recover (RC)

Maintain plans for resilience and restore capabilities or services impaired by a cybersecurity incident.

ControlTitleOwner
SID-OPS-02Business Continuity and ICT Readinessoperator
SID-OPS-03Backup and Recoveryoperator