Home
Browse frameworks
Contact us
SAMMY premium
Login
SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIST CSF 2.0
Browse NIST CSF 2.0
SAMM
OpenSAMM1.5
Cybersecurity Fundamentals
NIST CSF 2.0
NIST SSDF
NIST 800-34
DSOMM
BSIMM 14
ISO 27001:2022 CMMI
CIS Critical Security Controls
GOVERN
Organizational Context
Risk Management Strategy
Roles, Responsibilities, and Authorities
Policies, Processes, and Procedures
Oversight
Supply Chain Risk Management
IDENTIFY
Asset Management
Risk Assessment
Improvement
PROTECT
Identity Management, Authentication, and Access Control
Awareness and Training
Data Security
Platform Security
Technology Infrastructure Resilience
DETECT
Continuous Monitoring
Adverse Event Analysis
RESPOND
Incident Management
Incident Analysis
Incident Response Reporting and Communication
Incident Mitigation
RECOVER
Incident Recovery Plan Execution
Incident Recovery Communication
ID.RA-01: Asset Vulnerability Identification
ID.RA-02: Information Sharing Forums
ID.RA-03: Threat Identification
ID.RA-04: Impact and Likelihood Analysis
ID.RA-05: Risk Exposure Determination and Prioritization
ID.RA-06: Risk Response Determination
ID.RA-07: Change and Exception Management
ID.RA-08: Vulnerability Disclosure Response
ID.RA-09: Integrity and Authenticity Verification
ID.RA-10: Critical Supplier Assessment
Risk Response Determination
ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated
Ex1: Apply the vulnerability management plan’s criteria for deciding whether to accept, transfer, mitigate, or avoid risk
Ex2: Apply the vulnerability management plan’s criteria for selecting compensating controls to mitigate risk
Ex3: Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report)
Ex4: Use risk assessment findings to inform risk response decisions and actions
Ex5: Communicate planned risk responses to affected stakeholders in priority order
Tier
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Not applicable
No
Tier 1: Partial
Tier 2: Risk informed
Tier 3: Repeatable
Tier 4: Adaptive
Description
Risk responses are chosen, prioritized, planned, tracked, and communicated