Overview
The Cye Exposure Management Platform measures organizational cybersecurity maturity by linking the assets in your environment (technologies, processes, and people-based capabilities) to NIST Cybersecurity Framework (CSF) subcategories. Each supported mitigation has a predefined mapping to one or more NIST subcategories under both NIST CSF 1.1 and NIST CSF 2.0, so the platform can attribute coverage correctly during an assessment.
What is a mitigation?
What is a mitigation?
Mitigations are the building blocks Cye uses to express security coverage. They are grouped into three categories:
Technologies: security tooling deployed in your environment (for example, EDR, SIEM, WAF).
Processes and Procedures: recurring practices and policies (for example, incident response, access reviews).
People: workforce-based capabilities and roles (for example, awareness programs, vCISO services).
Every supported mitigation appears in one of the tables below, with its ID, name, and NIST CSF mapping.
A single mitigation can satisfy multiple NIST subcategories. When it does, all linked subcategories receive the mitigation's contribution to their maturity score.
Mitigations without an equivalent mapping for a framework version are shown as a dash "—".
Technologies
Security tools and platforms that Cye recognizes as protective, detective, or response capabilities.
69 supported mitigations.
Mitigation ID & Name | NIST CSF 1.1 | NIST CSF 2.0 |
M2 EDR or XDR (Endpoint Detection and Response) | DE.AE-2, DE.AE-3, DE.AE-5, DE.CM-3, DE.CM-4, DE.CM-7, DE.DP-2, RS.MI-1 | DE.AE-02, DE.AE-04, DE.CM-03, DE.CM-09, RS.MI-01, RS.AN-03 |
M3 SIEM (Security Information and Event Management) | DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-4 | DE.AE-02, DE.AE-03, DE.AE-04, DE.AE-06, DE.AE-07, DE.AE-08, DE.CM-01, DE.CM-03, DE.CM-09 |
M4 MDR (Managed Detection and Response) | RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.MI-1, RS.MI-2, RS.RP-1 | RS.MA-01, RS.MA-02, RS.MA-03, RS.MA-04, RS.MI-01, RS.MI-02, RS.AN-03 |
M7 SSO (Single Sign On) | PR.AC-1, PR.AC-7, PR.AC-6 | — |
M9 Password Management Vault | PR.AC-1, PR.AC-4 | PR.AA-01, PR.AA-05, PR.AA-04 |
M10 EFSS (Enterprise File Sync and Share) | PR.DS-1 | PR.DS-01 |
M11 DLP (Data Loss Prevention) | PR.DS-5, PR.PT-2 | PR.DS-01, PR.DS-10 |
M13 SAST (Static Application Security Testing) | PR.IP-2 | PR.PS-06 |
M14 Data Masking / Anonymization / Obfuscation | PR.DS-1 | PR.DS-01 |
M15 Data Encryption | PR.DS-1 | PR.DS-01 |
M16 CSPM (Cloud Security Posture Management) | RS.MI-3, PR.AC-5, PR.IP-1, ID.RA-1, DE.CM-8, PR.PT-3 | ID.RA-01, PR.IR-01, PR.PS-01 |
M19 Firewall | PR.AC-5, RS.MI-1 | PR.IR-01, RS.MI-01 |
M21 Firewall Analyzer | ID.AM-3 | ID.IM-03 |
M22 Vulnerability Assessment and Network Scanning | ID.RA-1, PR.IP-12, DE.CM-8, RS.MI-1 | ID.RA-01 |
M23 MDM (Mobile Device Management) | ID.AM-1, PR.IP-1, RS.MI-1 | ID.AM-01, ID.AM-08, PR.PS-01, PR.PS-03 |
M25 TIP (Threat Intelligence Platform) | ID.RA-2, ID.RA-3 | ID.RA-02, ID.RA-03, DE.AE-07 |
M26 CRQ (Cyber Risk Quantification) | ID.GV-4, ID.RA-4, ID.RA-5, ID.RA-6, ID.RM-2, ID.RM-3 | GV.RM-04, ID.RA-03, ID.RA-04, ID.RA-05, ID.RA-06, GV.RM-02, GV.RM-03, GV.RM-06, GV.RM-07 |
M27 VM (Vulnerability Management) | ID.RA-1, PR.IP-12, DE.CM-8, RS.MI-3 | ID.RA-01, ID.RA-05, PR.PS-02 |
M28 Email Security | DE.CM-3 | DE.CM-03 |
M29 IDS or IPS (Intrusion Detection and Prevention System) | DE.CM-1 | DE.CM-01 |
M30 PAM (Privileged Access Management) | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.MA-1, PR.MA-2, PR.PT-3, DE.CM-3, DE.CM-7 | PR.AA-01, PR.AA-05, PR.AA-02, PR.AA-03, PR.AA-04, PR.PS-04, DE.CM-06 |
M31 IDP or IAM (Identity and Access Management) | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, ID.AM-6, PR.AT-2, PR.MA-2, DE.CM-3 | PR.AA-01, PR.AA-05, PR.AA-02, PR.AA-03, ID.AM-08 |
M32 Patch Management | ID.RA-1, PR.IP-12 | ID.RA-01, PR.PS-02 |
M33 CNAPP (Cloud Native Application Protection Platform) | ID.AM-2, ID.AM-4, PR.PT-3, DE.CM-8, DE.CM-4, ID.RA-1 | ID.AM-02, ID.AM-04, PR.PS-01, ID.RA-01, DE.CM-01, DE.CM-09 |
M34 Safe Browsing | DE.CM-5 | PR.IR-01, DE.CM-01 |
M35 Deception Tools | DE.CM-7 | DE.CM-01, DE.CM-03, DE.CM-09 |
M36 WAF (Web Application Firewall) | PR.DS-2 | — |
M37 SOAR System (Security Orchestration, Automation and Response) & Automated Playbooks | RS.AN-4, RS.MI-1, RS.MI-2, RS.MI-3 | RS.MI-01, RS.MI-02 |
M39 DAST (Dynamic Application Security Testing) | PR.IP-2 | PR.PS-06 |
M40 URL Filtering | DE.CM-3 | DE.CM-03 |
M42 Zero Trust Network Access (ZTNA) | PR.AC-3, PR.AC-5, DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-6, PR.AC-7 | PR.AA-03, PR.AA-04, DE.CM-01, DE.CM-03, PR.AA-05, PR.IR-01, PR.AA-02, PR.AA-01 |
M43 API Security | PR.PT-4 | PR.AA-06, PR.IR-01 |
M44 BAS (Breach and Attack Simulation) | ID.RA-4, ID.RA-3, ID.RA-1 | ID.RA-01, ID.RA-03, ID.RA-04 |
M45 CDR (Content Disarm and Reconstruction) | DE.CM-5 | DE.CM-09 |
M47 Data Flow Mapping Tool | ID.AM-3, DE.AE-1 | ID.AM-03 |
M50 Backup and Recovery Systems | PR.IP-4, RC.RP-1 | PR.DS-11, RC.RP-03 |
M51 Digital Forensic Software | RS.AN-3 | RS.AN-03, RS.AN-06 |
M52 Secure Web Gateway | PR.AC-5 | PR.IR-01, DE.CM-03 |
M53 Asset Management | ID.AM-1, ID.AM-2, PR.DS-3 | ID.AM-01, ID.AM-02, ID.AM-08, PR.PS-03 |
M54 BMS (Building Management System) | DE.CM-2 | DE.CM-02 |
M55 CASB (Cloud Access Security Broker) | DE.CM-3, ID.AM-4, PR.DS-5, ID.AM-2 | DE.CM-03, ID.AM-04, PR.DS-01, ID.AM-02, PR.DS-02, PR.DS-10 |
M56 NAC (Network Access Control) | PR.AC-7 | PR.AA-03 |
M57 Reverse Proxy | PR.AC-5 | PR.IR-01 |
M62 Database Web Application Firewall | PR.AC-5 | PR.IR-01 |
M64 GRC Personnel and Process | ID.GV-2, ID.GV-3, ID.GV-4 | GV.RR-02, GV.RM-03, GV.RM-04, GV.OV-03, GV.OC-03 |
M155 Database Firewall | PR.DS-1, PR.DS-5 | PR.DS-01, PR.DS-10 |
M157 DNS Security Tools | DE.AE-1, PR.PT-4, RS.MI-1 | DE.CM-01 |
M160 Vendor Management | ID.AM-4, ID.SC-2, ID.SC-4, ID.SC-5, DE.CM-6 | ID.AM-04, DE.CM-06, GV.SC-04, GV.SC-07, GV.SC-03, ID.RA-10, GV.OC-02 |
M163 File Integrity Monitoring (FIM) | PR.DS-6, DE.CM-7 | DE.CM-09, PR.DS-01 |
M164 DNS Security | PR.IP-1, DE.CM-1, ID.AM-1 | PR.AA-05, PR.DS-02, DE.CM-01, PR.PS-01 |
M165 DDoS Protection | ID.BE-5, PR.PT-5 | PR.IR-04, DE.CM-01, RS.MI-01 |
M166 Micro segmentation | PR.AC-5 | PR.AA-05, PR.IR-01, PR.PS-01 |
M167 SD-WAN | PR.AC-5 | PR.AA-05, PR.PS-01 |
M168 Software Composition Analysis (SCA) | ID.RA-1, PR.IP-2 | PR.AA-02, PR.PS-06, PR.AA-03, PR.PS-01 |
M169 API Security Platform | PR.AC-7, PR.AC-6 | PR.AA-04, PR.DS-02, PR.AA-05, DE.CM-01 |
M170 Container Security | PR.IP-12, DE.CM-7 | ID.RA-01, DE.CM-09, PR.PS-01, PR.PS-02 |
M171 Encryption Or Key Management (KMS Or HSM) | PR.DS-1, PR.DS-2, PR.DS-5, PR.AC-1 | PR.DS-01, PR.DS-02, PR.DS-10, PR.AA-01 |
M172 Tokenization Or Data Masking | PR.DS-1, PR.DS-5 | PR.DS-01, PR.DS-10 |
M173 User and Entity Behavior Analytics (UEBA) | DE.CM-3, DE.CM-7 | DE.CM-03, DE.AE-02 |
M174 Incident Response Management Platform | RS.RP-1, RS.CO-2, RS.MI-1 | RS.MA-01, RS.MA-04, RS.MA-05, RS.CO-02, RS.CO-03, RS.MI-01 |
M175 GRC Platform | ID.GV-1, ID.RM-1, ID.GV-2 | GV.PO-02, GV.RM-01, GV.OV-03 |
M176 Risk Management Platform | ID.RA-1, ID.RM-1 | GV.RM-01, GV.RM-02, GV.RM-03, GV.RM-06, GV.RM-07 |
M177 Phishing Simulation Platform | PR.AT-1, PR.AT-2 | PR.AT-01, PR.AT-02 |
M178 Physical Access Control Systems (PACS) | PR.AC-3, PR.AC-2 | PR.IR-02, PR.AA-06 |
M209 MFA Deployment | PR.AC-1, PR.AC-7 | PR.AA-01, PR.AA-03, PR.AA-05 |
M213 CMDB Deployment | ID.AM-1, ID.AM-2 | ID.AM-01, ID.AM-02 |
M216 Secret scanning | PR.AC-1, PR.DS-1 | — |
M220 AI security monitoring | ID.AM-2, DE.CM-8, PR.IP-1 | — |
M228 PSM (Privileged Session Monitoring & Recording) | PR.PT-1, DE.CM-7 | PR.PS-04, DE.CM-06, DE.CM-03 |
Processes and Procedures
Documented, recurring security activities (policies, procedures, drills, reviews, and operational workflows) that contribute to maturity coverage when implemented.
130 supported mitigations.
Mitigation ID & Name | NIST CSF 1.1 | NIST CSF 2.0 |
M1 Block network access | PR.AC-5 | PR.IR-01 |
M6 Hash and Salt | PR.AC-1, PR.AC-7 | PR.AA-01, PR.AA-03, PR.AA-05 |
M8 Sensitive data removal and credentials rotation | PR.AC-1, PR.AC-7, PR.AC-2 | PR.AA-01, PR.AA-03, PR.AA-05, PR.AA-02 |
M17 Asset Removal | PR.DS-3 | ID.AM-08, PR.PS-03 |
M18 Network segmentation and segregation | PR.AC-5 | PR.IR-01 |
M20 Patching practice | ID.RA-1, PR.IP-12, DE.CM-8, ID.RA-2 | ID.RA-01, PR.PS-02, ID.RA-06 |
M24 GPOs (Deploying hardened Group Policy Objects) | PR.IP-1, PR.PT-3 | ID.RA-01, PR.PS-01, PR.PS-02 |
M38 Incident management and response | RS.CO-2, RS.AN-4 | RS.CO-02, RS.MA-03 |
M41 Vendor management Processes | ID.AM-4, ID.SC-2, ID.SC-4, ID.SC-5, DE.CM-6 | ID.AM-04, GV.SC-04, GV.SC-07, GV.SC-03, ID.RA-10 |
M46 Role based awareness training | PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-5, PR.IP-2 | PR.AT-01, PR.AT-02, PR.PS-06 |
M48 OT security | PR.IP-1, PR.PT-4 | ID.IM-02, ID.IM-04, PR.AA-06, PR.IR-01 |
M58 Web asset hardening | PR.DS-6 | PR.DS-01, DE.CM-09 |
M59 Periodic application security bug analysis | ID.RA-1, PR.IP-2 | ID.RA-01, PR.PS-06 |
M61 Secure Software Development Life Cycle (SDLC) | PR.DS-7, PR.IP-2 | PR.IR-01, PR.PS-06, ID.AM-08 |
M63 Periodic awareness training | PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5 | PR.AT-01, PR.AT-02 |
M65 Implement and enforce a strong password policy | PR.AC-1, PR.AC-4 | PR.AA-01, PR.AA-05 |
M66 Authentication enforcement | PR.AC-7 | PR.AA-03 |
M67 Incident management procedure | DE.DP-1, RS.AN-1, RS.CO-1, RS.CO-2, RS.CO-4, RS.AN-2, RS.RP-1, RS.AN-4 | RS.CO-03, RS.MA-02, RS.CO-02, RS.MA-01, RS.MA-05, RS.MA-03 |
M68 Device onboarding offboarding | ID.AM-1, PR.DS-3 | ID.AM-01, ID.AM-08, PR.PS-03 |
M69 SAAS and on prem product catalog | ID.AM-2, ID.AM-4 | ID.AM-02, ID.AM-04 |
M70 Data mapping | DE.AE-1 | ID.AM-03 |
M71 New initiative security approval | ID.GV-1, ID.GV-2 | ID.AM-08, GV.RR-02 |
M72 Crown jewels analysis | ID.AM-3, ID.AM-5, ID.BE-4 | ID.AM-05, ID.AM-03, GV.OC-04, GV.OC-05 |
M73 Information security policy review and annual approval | ID.GV-1 | GV.PO-02, GV.PO-01 |
M74 Supply chain self assessment | ID.BE-1, ID.BE-2 | GV.SC-07 |
M75 RTO RPO policy | ID.BE-5 | GV.OC-04 |
M76 C level management sponsorship | ID.GV-1, ID.GV-2 | GV.RR-01 |
M77 Risk matrix annual review | ID.GV-4, ID.RA-3, ID.RA-4, ID.RA-5, ID.RA-6, ID.RM-1, ID.RM-2, ID.RM-3 | ID.RA-03, ID.RA-04, ID.RA-05, ID.RA-06, GV.RM-03, GV.RM-06, GV.RM-02, GV.RM-04 |
M78 Vulnerability KPI tracking | ID.RA-1, PR.IP-12, RS.MI-3 | ID.RA-01, ID.IM-03, GV.OV-03 |
M79 CTI signals handling process | ID.RA-2 | ID.RA-02, DE.AE-07 |
M80 Risk management process | ID.RA-3, ID.RA-4, ID.RA-5, ID.RA-6, ID.RM-1, ID.RM-2, ID.RM-3 | ID.RA-03, ID.RA-04, ID.RA-05, ID.RA-06, GV.RM-06, GV.RR-03, GV.RM-03, GV.RM-02, GV.RM-04, GV.RM-01 |
M81 Vendors onboarding procedure | ID.SC-1, ID.SC-2, ID.SC-3 | ID.RA-10, GV.SC-06 |
M84 Employee onboarding offboarding Process | PR.AC-1, PR.AC-7, PR.IP-11 | PR.AA-01, PR.AA-05, GV.RR-04 |
M85 User access review | PR.AC-1, PR.AC-4 | PR.AA-01, PR.AA-05 |
M86 Visitors to physical sites procedure | PR.AC-2, PR.IP-5 | PR.AA-06 |
M87 Vendor on site support procedure | PR.AC-2, PR.IP-5 | PR.AA-06 |
M88 Physical security dispatch policies & procedures | PR.AC-2, PR.IP-5 | PR.AA-06 |
M89 Vendors remote access procedure | PR.AC-3, DE.CM-6 | DE.CM-06, PR.IR-01, PR.AA-03, PR.AA-05, GV.SC-07 |
M90 Change management procedure | PR.MA-1, PR.IP-3 | ID.AM-08, PR.PS-01 |
M91 Inactive users review | PR.AC-1 | PR.AA-01, PR.AA-05 |
M92 Data protection policy | PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-6, PR.PT-2 | PR.DS-01, PR.DS-02, PR.DS-10 |
M93 System capacity testing | PR.DS-4 | PR.IR-04 |
M94 OT environment security strategy | PR.PT-4 | PR.PS-01, PR.IR-01 |
M95 Restore process | RC.RP-1, PR.IP-4 | RC.RP-01, RC.RP-03, RC.RP-05, RC.RP-02, PR.DS-11 |
M96 Restore drills | PR.IP-4, RC.RP-1, PR.IP-11 | PR.DS-11, RC.RP-01, RC.RP-03, ID.IM-04 |
M97 Data disposal procedure | PR.IP-6 | ID.AM-08 |
M98 Conditional access policy review | PR.AC-7 | PR.AA-03, PR.AA-05 |
M99 DRP (Digital risk protection) annual review | PR.IP-9 | ID.IM-04 |
M100 Screening procedure | PR.IP-11 | GV.RR-04 |
M101 Security monitoring policy | PR.PT-1, DE.AE-2, DE.AE-4, DE.DP-1, DE.DP-2, DE.DP-4, DE.DP-5 | PR.PS-04, DE.AE-02, DE.AE-06, DE.AE-08 |
M102 Alert handling process | DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5 | DE.AE-02, DE.AE-03, DE.AE-04, DE.AE-08 |
M103 Cloud governance policy | PR.PT-3 | PR.PS-01 |
M104 DR (Disaster Recovery) procedure | PR.PT-5 | PR.IR-03, RC.RP-02, RC.RP-05 |
M105 Event handling process | RS.AN-2, DE.DP-1, DE.DP-2, DE.DP-4, RS.AN-1, RS.AN-3, RS.AN-4 | GV.RR-02, DE.AE-02, DE.AE-04, RS.AN-06, DE.AE-06, RS.MA-02, RS.AN-03, DE.AE-08 |
M106 Escalation procedure | DE.AE-2, DE.AE-4 | DE.AE-02, DE.AE-04, RS.MA-04, RS.CO-02 |
M107 Data source health verification process | DE.AE-3, DE.DP-2, PR.PT-1 | DE.AE-03, PR.PS-04 |
M108 Severity criteria | DE.AE-4, DE.AE-5 | DE.AE-04, DE.AE-08, RS.MA-05 |
M109 Alert improvement process | DE.DP-3, DE.DP-5 | ID.IM-01, ID.IM-03 |
M110 Physical security policy and procedure | DE.CM-2, PR.AC-2 | DE.CM-02, PR.AA-06 |
M111 Network agent review process | DE.CM-4, DE.DP-3 | DE.AE-04 |
M112 Forensics package collection process | RS.AN-3 | RS.AN-06, RS.AN-07 |
M114 SOC tiering structure | DE.DP-1 | GV.RR-02, DE.AE-06 |
M115 SIEM change management process | DE.AE-5, DE.DP-2, DE.DP-3, DE.DP-5 | ID.IM-02 |
M116 IRP (Incident Response Plan) annual update and approval | RS.IM-1, RS.IM-2, PR.IP-9 | ID.IM-04, ID.IM-03 |
M117 IRP Communication Process | RS.CO-4 | ID.IM-04, RS.CO-02, RS.CO-03 |
M118 Incident reporting procedure | RS.CO-2 | RS.CO-02 |
M119 Information sharing procedure | RS.CO-5, RS.AN-5, ID.RA-2 | RS.CO-03, ID.RA-08, ID.RA-02 |
M120 Host and network isolation process | RS.MI-1 | RS.MI-01 |
M121 DDOS response process | RS.MI-1, PR.PT-5 | RS.MI-01, PR.IR-03 |
M122 Forensics and mitigation planning | RS.AN-3, RS.MI-1 | RS.AN-03, RS.AN-06 |
M123 Post mortem process | RS.IM-1, RS.IM-2 | ID.IM-03, ID.IM-04 |
M124 BCP annual update and approval | RC.RP-1, PR.IP-9, RC.CO-3 | RC.RP-01, ID.IM-04, ID.IM-03, RC.CO-03 |
M125 BCP is communicated | RC.CO-3 | ID.IM-04 |
M126 Maintenance procedures | PR.MA-1, PR.MA-2 | ID.AM-08, PR.PS-03, PR.PS-02 |
M127 Privileged accounts hardening | PR.MA-1, PR.AC-4 | ID.AM-08, PR.PS-03, PR.AA-05 |
M128 Remote support procedure | PR.MA-2, PR.AC-3 | ID.AM-08, PR.PS-02, PR.AA-03, PR.AA-05, PR.IR-01 |
M129 Security controls roles and responsibilities | ID.AM-4 | GV.RR-02, GV.RR-03, PR.AT-02 |
M130 Central management (centralized security management) | ID.AM-1, ID.AM-2 | ID.AM-01, ID.AM-02 |
M131 Security steering committee | ID.BE-3 | GV.OV-01, GV.OV-02, GV.RR-01 |
M132 KPIs are defined | ID.BE-3 | GV.OV-01, GV.OV-03 |
M134 Annual risk management review committee | ID.RM-1, ID.RM-2, ID.RM-3, ID.GV-4, ID.RA-3, ID.RA-4, ID.RA-5, ID.RA-6 | GV.RM-02, GV.RM-04, GV.RM-03, GV.RM-01, GV.OV-02, GV.RR-01, GV.OV-03, GV.OV-01 |
M135 Policy communication to the organization | ID.GV-1 | GV.PO-01, GV.PO-02 |
M136 IR (Incident response) drills | ID.SC-5 | GV.SC-08, ID.IM-02 |
M137 Legal security communication process | ID.GV-3 | GV.OC-03 |
M138 KPIs communication policy | PR.IP-7, PR.IP-8 | ID.IM-03 |
M139 Phishing campaigns program | PR.AT-1 | PR.AT-01 |
M141 New security initiative approval | PR.PT-3 | PR.PS-01, ID.AM-08 |
M142 Red team drills | DE.DP-3, DE.DP-5, PR.IP-10 | ID.IM-02, ID.IM-04 |
M143 Purple team drills | DE.AE-5, DE.DP-3, RS.AN-2, RS.AN-4, DE.AE-2, DE.DP-5 | ID.IM-02, ID.IM-04 |
M144 BCP (Business Continuity Plan) drills | PR.IP-10, RC.RP-1 | ID.IM-02, ID.IM-04, RC.RP-01 |
M146 Response plan drills | RS.IM-1, RS.RP-1, RS.CO-1, RS.CO-3, RS.CO-4, PR.IP-10, RS.IM-2 | ID.IM-04 |
M148 BCP (Business Continuity Planning) policy | RC.RP-1 | RC.RP-01, RC.RP-02, RC.RP-06 |
M150 C level tabletop drills | RS.MI-1, RS.MI-2, PR.AT-4 | PR.AT-02, RS.MI-02 |
M151 SOD (Segregation of duties) | ID.GV-2, ID.AM-6 | GV.RR-02, GV.SC-02 |
M152 Roles and responsibilities definition | ID.GV-2, ID.AM-6 | GV.RR-02, GV.RR-03, GV.SC-02, PR.AT-02 |
M153 Information sharing policy | PR.DS-5 | PR.DS-02, PR.DS-10, PR.DS-01 |
M154 DAM (Database activity monitoring) | PR.DS-1, PR.DS-5 | PR.DS-01, PR.DS-10 |
M156 Employee internal mobility procedure | PR.AC-4, PR.IP-11 | PR.AA-05, GV.RR-04 |
M158 System hardening procedure | PR.IP-1, PR.PT-3 | PR.PS-01, PR.PS-05 |
M159 SOC playbooks and investigation procedure | DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-5, DE.CM-7, DE.DP-2, RS.MI-2 | DE.CM-01, DE.CM-09, DE.CM-03, DE.CM-06, RS.MI-02 |
M179 Threat Modeling Process | ID.RA-3, ID.RA-4, ID.RA-5 | ID.RA-03, ID.RA-04, ID.RA-05 |
M180 Security Architecture Review Process | PR.PT-3 | PR.PS-01, ID.AM-08 |
M181 Security Exception Or Risk Acceptance Process | ID.RM-1, ID.RA-1 | GV.RM-01, GV.RM-02, GV.RM-03, GV.RM-06, GV.RM-07 |
M182 Data Retention Process | PR.IP-6, PR.DS-1, PR.DS-5 | PR.DS-01, PR.DS-02, PR.DS-10 |
M183 Application Security Deployment Review | PR.IP-2, PR.DS-1, PR.IP-12 | ID.RA-01, DE.CM-09, PR.PS-06 |
M184 Mobile Device Security Process | PR.PT-3, PR.IP-1 | PR.PS-01 |
M186 Insider Threat Detection Process | DE.CM-3, DE.CM-7 | DE.AE-02, DE.CM-03 |
M187 Security Awareness Effectiveness Measurement Process | PR.AT-1, PR.AT-2, PR.AT-4 | PR.AT-01, PR.AT-02 |
M193 Threat hunting | DE.AE-2, DE.AE-5, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-4 | DE.AE-02, DE.AE-06, DE.AE-08, DE.CM-01, DE.CM-02, DE.CM-03, DE.CM-06, DE.CM-09 |
M194 Exposure Management | ID.RA-1, ID.RA-2, ID.RA-5 | ID.RA-01, ID.RA-02, ID.RA-05 |
M195 Security Governance | ID.GV-1 | GV.PO-01 |
M198 SSDLC Improvement | PR.IP-2 | PR.PS-06 |
M200 Incident Readiness | ID.GV-1, PR.IP-9, RS.CO-2, RS.CO-3, RS.RP-1 | GV.PO-02, ID.IM-04, RS.MA-01, RS.CO-02, RS.CO-03 |
M201 Data Classification and protection | PR.DS-1 | PR.DS-01 |
M204 Internet Perimeter | PR.IP-1, PR.AC-5 | — |
M205 IR Tabletop Exercises | PR.IP-9, ID.SC-5, PR.IP-10, PR.AT-2, PR.AT-3, PR.AT-4 | ID.IM-04, GV.SC-08, ID.IM-02, PR.AT-01 |
M206 Third-Party Risk Management | ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4, ID.SC-5 | GV.SC-01, GV.SC-03, GV.SC-04, GV.SC-05, GV.SC-06, GV.SC-07, GV.SC-08, GV.SC-09, GV.SC-10, GV.RM-05, ID.RA-10 |
M210 IdP & Email Hardening | ID.AM-3, DE.AE-3, DE.CM-1 | — |
M211 Backup Protection | PR.IP-4 | PR.DS-11 |
M212 SOC Uplift | DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7 | DE.CM-01, DE.CM-03, DE.CM-06, DE.CM-09 |
M214 Application Assessments program | PR.IP-3, PR.IP-1 | — |
M215 Cloud Risk Assessment program | ID.RA-1, ID.RA-3, ID.RA-5, ID.RA-6 | ID.RA-01, ID.RA-05, ID.RA-06, ID.IM-01 |
M217 Architecture mapping | ID.AM-3 | ID.AM-03 |
M218 Application Threat Modeling Procedure | ID.RA-3, ID.RA-5 | ID.RA-03, ID.RA-05 |
M221 AI Policy implementation | PR.IP-12, DE.CM-8 | — |
M222 AI secure development procedure | PR.IP-2, PR.DS-6 | PR.PS-06 |
M223 Vulnerability Management Process | ID.RA-1, ID.RA-5, ID.RA-6, RS.AN-5 | ID.RA-01, ID.RA-05, ID.RA-06, ID.RA-08 |
M224 Cyber Insurance | ID.GV-3, ID.GV-4 | GV.OC-03, GV.RM-04 |
M225 Cyber Intelligence Service | ID.RA-2 | ID.RA-02 |
M226 Executive Cyber Risk & Security Reporting | ID.GV-4 | GV.OV-01, GV.OV-03 |
People
Workforce-driven mitigations covering awareness, security roles, and advisory services.
4 supported mitigations.
Mitigation ID & Name | NIST CSF 1.1 | NIST CSF 2.0 |
M203 Awareness Program | PR.AT-1, PR.AT-2 | PR.AT-01, PR.AT-02 |
M207 Security Personnel | ID.GV-2, ID.RM-1 | GV.RR-03, GV.RR-02 |
M208 vCISO Services | ID.GV-2, ID.RM-1 | GV.RR-03, GV.RR-02 |
M219 Developers secure training program | PR.AT-2 | PR.AT-02 |
Wrap-up / Next Steps
Open the Assets page in the Cye Platform to see which of these mitigations are linked to your environment.
Use the Unmapped Framework filter to find technologies and processes that haven't yet been associated with a NIST subcategory.
Review the Technologies and Processes maturity articles to understand how each linked mitigation contributes to your score.
Create a finding when a mitigation provides only partial coverage. See Understanding Maturity — How Progress Drives Your Score.