Cybersecurity Supervision Work Program References

The Cybersecurity Supervision Work Program (CSW) provides high-level examination procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. Users can filter and search for procedures by using the CSW Cross-References table on this page. The procedures are cross-referenced to common industry cybersecurity frameworks. Learn more about the OCC’s cybersecurity supervision.

The CSW is a component of the OCC’s risk-based bank information technology supervision process. The CSW sets no new regulatory expectations, and national banks and federal savings associations are not expected to use this work program to assess cybersecurity preparedness.

CSW Cross-References

Use the filters below to see a table of CSW procedures and the cross-references or click search without applying filters to view all data. Learn more about CSW Cross-References.

Function	Function / Category / Unique ID	Procedure	OCC Resources	FFIEC IT Examination Handbook InfoBase	Industry Frameworks	Procedure Short Text	Category	Unique ID
Identify	Identify / IT Asset Management / ID.AM-1.AI	IT Asset Inventory: Evaluate the effectiveness of processes implemented to identify and maintain the asset inventory of all on-site and off-site system devices, hardware, and other system components.	OCC Bulletin 2020-46 Attachment OCC Bulletin 2020-94 Attachment, Appendix A, page 10	Information Security Booklet II.C.5 Appendix A, Objective 6, procedure 6, parts a - e Architecture, Infrastructure, and Operations Booklet III.B III.B.1 Appendix A, Objective 4, procedure 1 Appendix A, Objective 4, procedure 3, parts a and b Appendix A, Objective 4, procedure 5, parts a - f	Center for Internet Security (CIS) 1.1 Cyber Risk Institute (CRI) ID.AM-1.1 ID.AM-2.1 ID.AM-3.3 ID.AM-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.1 D1.G.IT.B.2 D1.G.IT.B.3 NIST SP 800-53 r5 CM-8 CM-8 (4)	IT Asset Inventory	IT Asset Management	ID.AM-1.AI
Identify	Identify / IT Asset Management / ID.AM-2.SI	Software Inventory: Evaluate the effectiveness of software inventory management processes to include end of support and end of life situations.	None	Architecture, Infrastructure, and Operations Booklet III.B.2 Appendix A, Objective 4, procedure 4, parts a - g	Center for Internet Security (CIS) 2.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.ITE.1 NIST SP 800-53 r5 CM-8 CM-8 (4) PM-5	Software Inventory	IT Asset Management	ID.AM-2.SI
Identify	Identify / IT Asset Management / ID.AM-3.DF	Data Flow: Evaluate the effectiveness of the processes for developing, maintaining, and securing data flow diagrams.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4	Information Security Booklet II.C.6 II.C.9 Appendix A, Objective 1, procedure 3, part b Appendix A, Objective 6, procedure 10, part b Architecture, Infrastructure, and Operations Booklet III.C.2 Appendix A, Objective 5, procedure 1	Center for Internet Security (CIS) 3.8 Cyber Risk Institute (CRI) ID.AM-3.1 ID.AM-3.3 FFIEC Cybersecurity Assessment Tool (CAT) D4.C.Co.B.3 D4.C.Co.B.4 D4.C.Co.E.3 D4.C.Co.Int.1 NIST SP 800-53 r5 AC-4 PL-8	Data Flow	IT Asset Management	ID.AM-3.DF
Identify	Identify / IT Asset Management / ID.AM-4.EC	External Connections: Assess the processes for identifying and maintaining an inventory of all external connections.	OCC Bulletin 2020-46 Attachment, page 5 OCC Bulletin 2020-94 Attachment, Appendix A, page 10 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4 Information Technology, Objective 3, Procedures 1 - 4	Architecture, Infrastructure and Operations Booklet III.B III.B.1(a) Appendix A, Objective 4, procedure 3 Appendix A, Objective 11, procedure 1, part a Appendix A, Objective 13, procedure 7, part b Appendix A, Objective 14, procedure 2, parts a - e Business Continuity Management Booklet III.A.1 III.B.1 Information Security Booklet II.C.5	Center for Internet Security (CIS) 12.4 Cyber Risk Institute (CRI) ID.AM-3.3 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.1 D4.C.Co.B.3 D4.C.Co.B.4 D4.C.Co.E.1 NIST SP 800-53 r5 AC-20 SA-9	External Connections	IT Asset Management	ID.AM-4.EC
Identify	Identify / IT Asset Management / ID.AM-5.DM	Data Management: Evaluate the effectiveness of the data management life cycle to include identification, analysis, storage, and disposal.	OCC Bulletin 2020-94 Attachment, Appendix A, page 10 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 1 Information Technology, Objective 5, Procedure 3	Architecture, Infrastructure, and Operations Booklet III.A III.A.1 Appendix A, Objective 3, procedures 1-4	Center for Internet Security (CIS) 3.2 Cyber Risk Institute (CRI) ID.AM-3.2 PR.IP-6.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.1 D4.RM.Co.B.1 D4.RM.Co.B.2 NIST SP 800-53 r5 SI-12 SI-12 (3)	Data Management	IT Asset Management	ID.AM-5.DM
Identify	Identify / IT Asset Management / ID.AM-5.DI	Data Classification: Assess the adequacy of the data classification methodology to determine if data criticality and sensitivity are identified and maintained.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 1	Information Security Booklet II.C.5 Appendix A, Objective 6, procedure 6, parts a - e Architecture, Infrastructure, and Operations Booklet III.A.1 III.B Appendix A, Objective 3, procedure 3 Appendix A, Objective 3, procedure 5, parts a - d	Center for Internet Security (CIS) 3.7 Cyber Risk Institute (CRI) ID.AM-5.2 ID.AM-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.2 NIST SP 800-53 r5 RA-9 RA-2	Data Classification	IT Asset Management	ID.AM-5.DI
Identify	Identify / Business Environment / ID.BE-1.SC	Supply Chain: Evaluate how management determines and communicates if the bank holds a critical or systemically important role in providing services to other entities in the financial sector.	None	Business Continuity Management Booklet I III VII.A Appendix A, Objective 10, procedure 25, part c	Cyber Risk Institute (CRI) DM.BE-1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.A.1 NIST SP 800-53 r5 SR-1 SR-2	Supply Chain	Business Environment	ID.BE-1.SC
Identify	Identify / Business Environment / ID.BE-2.FS	Critical Infrastructure: Evaluate how management determines and communicates the bank’s role in the financial services sector of the U.S. critical infrastructure.	OCC Bulletin 2020-94 Attachment, page 4 OCC Bulletin 2003-14 Attachment	Business Continuity Management Booklet III VII.J Appendix A, Objective 10, procedure 24, parts a, d, e Information Security Booklet II.A	Cyber Risk Institute (CRI) DM.BE-1.1 DM.BE-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.B.5 D1.G.Ov.A.6 D1.G.SP.Inn.1 NIST SP 800-53 r5 PM-8	Critical Infrastructure	Business Environment	ID.BE-2.FS
Identify	Identify / Business Environment / ID.BE-4.CR	Critical Dependencies: Evaluate the effectiveness of processes that identify and maintain critical dependencies, such as power, telecommunications, network connectivity, and other critical infrastructures.	OCC Bulletin 2020-94 Attachment, page 4 OCC Bulletin 2003-14 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4 Information Technology, Objective 3, Procedures 1 through 4	Business Continuity Management Booklet IV.A.6 IV.A.7 Appendix A, Objective 4, procedure 3, parts a - c Appendix A, Objective 6, procedure 6, parts a – g Appendix A, Objective 10, procedure 25, part d Information Security Booklet II.C.5 II.C.6 II.C.9 II.C.9(a) Appendix A, Objective 6, procedure 7, parts a - f	Cyber Risk Institute (CRI) RC.RP-1.2 DM.BE-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.B.5 D4.C.Co.B.1 D3.PC.Se.A.2 NIST SP 800-53 r5 CP-8 PE-9 PE-11 PM-8	Critical Dependencies	Business Environment	ID.BE-4.CR
Identify	Identify / Business Environment / ID.BE-5.RR	Cybersecurity Resilience: Evaluate cybersecurity resilience planning and response capabilities to support delivery of critical services.	OCC Bulletin 2020-94 Attachment, Appendix A OCC Bulletin 2003-14 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedures 1 through 8	Business Continuity Management Booklet IV.A.2 Appendix A, Objective 6, procedure 3, parts a – f Appendix A, Objective 6, procedure 5, parts a - f Information Security Booklet Appendix A, Objective 6, procedure 15, parts a – c	Cyber Risk Institute (CRI) RC.RP-1.2 DM.BE-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.B.6 D5.IR.Pl.E.3 D3.CC.Re.Inn.1 NIST SP 800-53 r5 CP-2 CP-10	Cybersecurity Resilience	Business Environment	ID.BE-5.RR
Identify	Identify / Governance / ID.GV-2.CR	Cybersecurity Roles: Review management and staff roles and responsibilities to determine whether they address cybersecurity risk management processes and procedures.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 2, Procedure 2	Information Security Booklet, section: I I.B Appendix A, Objective 2	Cyber Risk Institute (CRI) GV.RR-1.1 GV.RR-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.R.St.B.1 D1.R.S.B.2 NIST SP 800-53 r5 PM-2 PM-3 AT-2 AT-3	Cybersecurity Roles	Governance	ID.GV-2.CR
Identify	Identify / Governance / ID.GV-3.LR	Regulatory Requirements: Evaluate the processes’ effectiveness for maintaining continued compliance with applicable rules and regulations.	OCC Bulletin 2021-55 Attachment OCC Bulletin 2013-39 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 8 Information Technology, Objective 6, Procedure 8	Management Booklet III.C.3(a) Appendix A, Objective 12, procedure 3 Information Security Booklet Appendix A, Objective 4, procedure 5, parts a – c Architecture, Infrastructure, and Operations Booklet Appendix A, Objective 2, procedure 9, part b	Cyber Risk Institute (CRI) GV.PL-3.1 GV.PL-3.3 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.E.2 D1.RM.RMP.Int.2 D2.IS.Is.Int.2 NIST SP 800-53 r5 PM-1 RA-1	Regulatory Requirements	Governance	ID.GV-3.LR
Identify	Identify / Governance / ID.GV-4.CR	Cybersecurity Risk: Assess the effectiveness of cybersecurity risk management processes.	OCC Bulletin 2020-94 Attachment, Appendix A OCC Bulletin 2015-20 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 2, Procedure 6 Information Technology, Objective 5, Procedure 1 Information Technology, Objective 5, Procedure 9	Information Security Booklet II Appendix A, Objective 2, procedure 10 Appendix A, Objective 3, procedure 1, parts a – e	Cyber Risk Institute (CRI) GV.RM-1.5 GV.RM-1.6 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.B.2 D1.RM.RMP.B.1 D1.RM.RMP.E.1 D1.RM.RA.Int.1 D3.CC.Re.B.1 NIST SP 800-53 r5 PM-11 PM-7 SA-2	Cybersecurity Risk	Governance	ID.GV-4.CR
Identify	Identify / Governance / ID.GV-4.AS	Assurance: Review and evaluate assurance and testing processes to determine whether cybersecurity controls are in place and working effectively to mitigate identified security risks.	OCC Bulletin 2020-94 Attachment, page 3 OCC Bulletin 2015-20 Attachment Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 2 Information Technology, Objective 5, Procedure 8 Information Technology, Objective 5, Procedure 9	Information Security Booklet IV.A Appendix A, Objective 6, procedure 4, parts a - c Appendix A, Objective 6, procedure 5, parts a - c Appendix A, Objective 10, procedures 1 - 6 Management Booklet I.B.7(b) Architecture, Infrastructure and Operations Booklet II.D	Cyber Risk Institute (CRI) GV.AU-1.2 GV.AU-1.3 GV.AU-3.1 GV.IR-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.RM.RMP.E.2 D1.RM.Au.E.3 D1.RM.Au.B.4 D3.DC.Th.B.1 NIST SP 800-53 r5 CA-2 CA-2 (2)	Assurance	Governance	ID.GV-4.AS
Identify	Identify / Governance / ID.GV-4.PT	Penetration testing: Assess the adequacy of scope, frequency, and effectiveness of penetration testing.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet IV.A.2(b) Appendix A, Objective 8, procedure 1, parts a - d Appendix A, Objective 10, procedure 1, part a	Center for Internet Security (CIS) 16.13 18 18.1 18.5 Cyber Risk Institute (CRI) DE.CM-8.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.DC.Th.A.2 D3.DC.Th.B.1 D3.DC.Th.E.5 NIST SP 800-53 r5 CA-8	Penetration testing	Governance	ID.GV-4.PT
Identify	Identify / Risk Assessment / ID.RA-2.CT	Threat Intelligence: Evaluate the effectiveness of threat intelligence collection from external sources.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 1	Information Security Booklet II.C III III.A III.B III.C Appendix A, Objective 4, procedure 4 Appendix A, Objective 8, procedure 3 Business Continuity Management Booklet III.B.1	Center for Internet Security (CIS) 7 Cyber Risk Institute (CRI) ID.RA-2.1 ID.RA-5.2 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.B.3 D1.G.SP.Int.1 D2.TI.Ti.B.1 NIST SP 800-53 r5 SI-5 PM-15 PM-16	Threat Intelligence	Risk Assessment	ID.RA-2.CT
Identify	Identify / Risk Assessment / ID.RA-5.CR	Risk Assessment: Evaluate the cybersecurity risk assessment process to assess whether threats, vulnerabilities, likelihoods, and impacts are used to determine business impacts and overall risk.	OCC Bulletin 2020-94 Attachment, page 4 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 1 Information Technology, Objective 5, Procedure 9	Management Booklet III.B Information Security Booklet II.B III.A Appendix A, Objective 3, procedure 2, part d	Center for Internet Security (CIS) 7.0 Cyber Risk Institute (CRI) ID.RA-4.1 ID.RA-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.Int.2 D1.RM.RA.B.1 D1.RM.RA.E.1 D2.TI.Th.B.3 NIST SP 800-53 r5 RA-3 RA-3 (3)	Risk Assessment	Risk Assessment	ID.RA-5.CR
Identify	Identify / Risk Assessment / ID.RA-6.RR	Risk Response: Assess the effectiveness of management’s prioritization and response to identified risks to include consideration of cybersecurity insurance.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 1 Information Technology, Objective 5, Procedure 9	Management Booklet III.B Information Security Booklet II II.C II.B Appendix A, Objective 6, procedure 1, parts a - e Appendix A, Objective 6, procedure 2 Appendix A, Objective 6, procedure 3 Appendix A, Objective 6, procedure 4, parts a - c	Cyber Risk Institute (CRI) GV.RM-1.5 GV.RM-1.6 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.B.1 D2.IS.Is.Inn.2 D1.RM.RA.E.1 D1.RM.RA.A.1 D2.TI.Th.B.3 D2.MA.Ma.Int.4 D2.MA.Ma.A.4 NIST SP 800-53 r5 PM-4	Risk Response	Risk Assessment	ID.RA-6.RR
Identify	Identify / Risk Management Strategy / ID.RM-1.RM	Risk Strategy: Evaluate, as part of cybersecurity risk management, the effectiveness of strategic decisions with regard to business constraints, business priorities, and risk tolerances.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 2, Procedure 7 Information Technology, Objective 7, Procedures 1 - 3	Management Booklet I.B.1 III Appendix A, Objective 2, procedure 1, parts a - d Appendix A, Objective 2, procedure 8, parts a - f Appendix A, Objective 2, procedure 6, parts a - i	Cyber Risk Institute (CRI) GV.SF-1.4 GV.SF-1.5 GV.SF-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.B.1 D1.G.Ov.A.4 D1.G.SP.B.2 NIST SP 800-53 r5 PM-9	Risk Strategy	Risk Management Strategy	ID.RM-1.RM
Identify	Identify / Risk Management Strategy / ID.RM-2.RT	Risk Appetite/Tolerance: Evaluate the effectiveness of processes used to determine risk appetite and risk tolerance for cybersecurity.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 7, Procedures 1 - 3	Management Booklet III Appendix A, Objective 2, procedure 1, parts a - d Appendix A, Objective 7, procedure 3, parts a - c	Cyber Risk Institute (CRI) GV.RM-1.6 GV.RM-2.1 GV.SP-2.3 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.Int.3 D1.G.Ov.Int.4 D1.G.Ov.A.1 NIST SP 800-53 r5 CA-7 (4) RA-7	Risk Appetite/Tolerance	Risk Management Strategy	ID.RM-2.RT
Identify	Identify / Risk Management Strategy / ID.RM-3.CI	Critical Infrastructure Risk Tolerance: Determine whether management considers and incorporates the bank’s role as part of critical infrastructure when establishing risk appetite or risk tolerances.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 7, Procedures 1 - 3	Information Security Booklet III Appendix A, Objective 7, procedure 3, parts a – c Management Booklet III.A Appendix A, Objective 11, procedure 1, parts a – i	Cyber Risk Institute (CRI) DM.BE-1 DM.RS-1.2 DM.RS-2.2 DM.RS-2.3 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.A.3 D1.G.Ov.B.5 D1.G.Ov.A.6 D1.G.SP.A.4 NIST SP 800-53 r5 PM-28 PM-8	Critical Infrastructure Risk Tolerance	Risk Management Strategy	ID.RM-3.CI
Identify	Identify / Supply Chain Risk Management / ID.SC-1.TP	Third party Risk: Evaluate how management incorporates cybersecurity and supply chain risk assessment into their third-party risk management processes.	OCC Bulletin 2023-17 Attachment OCC Bulletin 2021-40 Attachment OCC Bulletin 2017-43 OCC Bulletin 2017-7 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 5 Information Technology, Objective 3, Procedure 2 Information Technology, Objective 3, Procedure 4	Information Security Booklet II.C.14 II.C.20 Appendix A, Objective 6, procedure 19 Appendix A, Objective 6, procedure 31 Outsourcing Technology Service Booklet Board and Management Responsibilities Ongoing Monitoring Appendix A, Tier 1, Objective 3, procedure 6 Architecture, Infrastructure and Operations Booklet VI.D.1 Appendix A, Objective 17, procedure 1, part d Management Booklet III.C.8 Appendix A, Objective 1, procedure 2, part c Appendix A, Objective 12, procedure 14	Center for Internet Security (CIS) 15 Cyber Risk Institute (CRI) DM.ED-2.1 DM.ED-4.1 DM.ED-3.2 DM.ED-6.5 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.B.5 D1.G.SP.A.3 D4.RM.Om.Int.2 NIST SP 800-53 r5 SR-1 SR-2	Third party Risk	Supply Chain Risk Management	ID.SC-1.TP
Detect	Detect / Anomalies and Events / DE.AE-1.NB	Network Baseline: Evaluate the effectiveness of the process for establishing and managing baseline network activity and normal internal and external data flows for users and systems, including those with third parties.	OCC Bulletin 2015-20 Attachment, page 3 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4	Architecture, Infrastructure and Operations Booklet V.B.1 III.C V Appendix A, Objective 5, Procedure 1 Appendix A, Objective 13, Procedure 3, parts c, d, h and k Information Security Booklet II.C.6 II.C.9 Appendix A, Objective 6, Procedure 10, part b	Center for Internet Security (CIS) 3.8 13.6 Cyber Risk Institute (CRI) DE.AE-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.DC.Ev.B.1 D4.C.Co.B.4 D4.C.Co.E.2 D4.C.Co.Int.1 NIST SP 800-53 r5 SI-4 (13) SA-15 (11) CM-3	Network Baseline	Anomalies and Events	DE.AE-1.NB
Detect	Detect / Anomalies and Events / DE.AE-1.NA	Network Activity Monitoring: Assess the adequacy of processes that monitor network activities and identify and alert for anomalous activity and traffic patterns.	OCC Bulletin 2015-20 Attachment, page 3 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4 Information Technology, Objective 2, Procedure 6 Information Technology, Objective 5, Procedure 4	Information Security Booklet II.C.9(a) II.C.12 II.C.15(a) II.C.22 III III.A III.C Appendix A, Objective 8, Procedure 1, part h Appendix A, Objective 8, Procedure 4, parts a, d, and e Architecture, Infrastructure, and Operations Booklet V.B.1 Appendix A, Objective 13, Procedure 3, part h	Center for Internet Security (CIS) 13.1 13.2 13.3 13.6 13.7 13.8 Cyber Risk Institute (CRI) DE.AE-3.2 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4 FFIEC Cybersecurity Assessment Tool (CAT) D3.DC.An.B.1 D3.DC.An.E.1 D3.DC.An.B.2 D3.DC.An.B.4 D3.DC.An.B.5 NIST SP 800-53 r5 SI-4 (13) SI-15 SI-4 (17)	Network Activity Monitoring	Anomalies and Events	DE.AE-1.NA
Detect	Detect / Anomalies and Events / DE.AE-1.BC	Baseline Configuration: Evaluate the effectiveness of processes used to manage system configuration baselines and to detect unauthorized changes from the baseline configuration.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4 Information Technology, Objective 4, Procedure 3	Information Security Booklet II.C.10(a) Appendix A, Objective 6, Procedure 12 Appendix A, Objective 6, Procedure 28, part f Architecture, Infrastructure, and Operations Booklet V.B.I Appendix A, Objective 13, Procedure 3, parts c and d	Center for Internet Security (CIS) 4.1 4.2 Cyber Risk Institute (CRI) DE.AE-1.1 DE.CM-7.3 PR.IP-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.4 D3.PC.Im.B.5 NIST SP 800-53 r5 CM-2 CM-3 (5)	Baseline Configuration	Anomalies and Events	DE.AE-1.BC
Detect	Detect / Anomalies and Events / DE.AE-2.EI	Event Identification and Analysis: Evaluate the effectiveness of processes that identify and analyze events.	OCC Bulletin 2005-13 Attachment, page 15735 OCC Bulletin 2021-55 Attachment, page 66427 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4.	Information Security Booklet II.C III.C III.D Appendix A, Objective 2, Procedure 5, part c Appendix A, Objective 3, Procedure 2, part b Appendix A, Objective 8, Procedure 5, parts a – h Architecture, Infrastructure, and Operations Booklet VI.C.4	Center for Internet Security (CIS) 17.9 Cyber Risk Institute (CRI) PR.PT-1.1 PR.PT-1.2 DE.CM-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D5.DR.De.B.3 D5.ER.Es.B.4 D5.IR.Pl.B.1 NIST SP 800-53 r5 SI-4 (5)	Event Identification and Analysis	Anomalies and Events	DE.AE-2.EI
Detect	Detect / Anomalies and Events / DE.AE-2.AP	Alert Parameters: Assess the adequacy of processes that define, manage, and adjust alert parameters for detecting and notifying management of events/incidents.	OCC Bulletin 2015-20 Attachment, page 3	Information Security Booklet II.C.15(a) II.C.15(b) II.C.16 Appendix A, Objective 6, Procedure 21, part f Appendix A, Objective 6, Procedure 22, part f Appendix A, Objective 6, Procedure 25, part b Appendix A, Objective 6, Procedure 35, part b Architecture, Infrastructure, and Operations Booklet VI.B.7 Appendix A, Objective 15, Procedure 7, parts a - e	Center for Internet Security (CIS) 13.1 13.11 Cyber Risk Institute (CRI) DE.AE-2.1 DE.AE-3.2 DE.AE-5.1 DE.CM-1.2 DE.CM-1.4 DE.CM-6.3 DE.DP-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.DC.An.E.4 D3.DC.An.Int.5 D3.DC.Ev.B.2 D5.DR.De.B.1 NIST SP 800-53 r5 SI-4 (5)	Alert Parameters	Anomalies and Events	DE.AE-2.AP
Detect	Detect / Anomalies and Events / DE.AE-3.AR	Event Analysis and Reporting: Evaluate the effectiveness of log collection and log data aggregation processes to determine whether event data are relevant, accurate, and complete.	OCC Bulletin 2021-36 Attachment, page 8, section 6 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 2, Procedure 6.	Architecture, Infrastructure, and Operations Booklet VI.B.7 Appendix A, Objective 15, Procedure 7, parts a - e Information Security Booklet II.C.15(a) II.C.15(b) II.C.22 Appendix A, Objective 6, Procedure 35, part a	Center for Internet Security (CIS) 8.1 8.5 8.11 8.12 Cyber Risk Institute (CRI) DE.CM-1.1 PR.PT-1.1 PR.PT-1.2 DE.CM-1.2 DE.CM-3.2 FFIEC Cybersecurity Assessment Tool (CAT) D1.RM.Au.B.3 D2.MA.Ma.B.1 D2.MA.Ma.B.2 D3.DC.An.B.3 D5.ER.Es.B.4 NIST SP 800-53 r5 CM-5 (1)	Event Analysis and Reporting	Anomalies and Events	DE.AE-3.AR
Detect	Detect / Anomalies and Events / DE.AE-3.TC	Threat Correlation: Evaluate the effectiveness of the processes for correlating threat intelligence with internal event data analysis.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet II.A.1 III.A III.C Appendix A, Objective 7, Procedure 1 Appendix A, Objective 8, Procedure 8, part i Appendix A, Objective 8, Procedure 3, parts a - f	Center for Internet Security (CIS) 13.1 8.5 Cyber Risk Institute (CRI) DE.AE-3.1 DE.AE-3.2 FFIEC Cybersecurity Assessment Tool (CAT) D2.TI.Ti.E.1 D2.TI.Th.Int.1 D3.DC.An.Int.6 NIST SP 800-53 r5 SI-4 (17) CA-7 (3) IR-4 (4)	Threat Correlation	Anomalies and Events	DE.AE-3.TC
Detect	Detect / Anomalies and Events / DE.AE-4.EI	Event Impact: Assess the adequacy of processes for analyzing the impact from active event(s).	OCC Bulletin 2015-20 Attachment, page 3 OCC Bulletin 2020-46 Attachment, page 7 OCC Bulletin 2021-55 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4	Information Security Booklet II.C.22 II.D.1 III.C Architecture, Infrastructure, and Operations Booklet VI.C.4 Appendix A, Objective 16, Procedure 4, part b	Center for Internet Security (CIS) 13.2 13.3 Cyber Risk Institute (CRI) DE.AE-2.1 RS.AN-2.2 DE.AE-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.ER.Es.E.1 D5.DR.RE.I.1 D1.RM.RMP.I.2 D5.IR.Pl.E.4	Event Impact	Anomalies and Events	DE.AE-4.EI
Detect	Detect / Anomalies and Events / DE.AE-5.IT	Incident Thresholds: Evaluate the effectiveness of the process used to establish alert thresholds to determine when an event is designated as an incident.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet I.B III.D III.C Appendix A, Objective 2, Procedure 5, part e Appendix A, Objective 8, Procedure 5, part h Appendix A, Objective 8, Procedure 6, part f Architecture, Infrastructure, and Operations Booklet VI.C.4	Center for Internet Security (CIS) 13.11 17.9 Cyber Risk Institute (CRI) DE.AE-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.I.4 D1.TC.Cu.E.3 D3.DC.An.E.4 D3.DC.Th.A.3 D5.DR.De.B.1	Incident Thresholds	Anomalies and Events	DE.AE-5.IT
Detect	Detect / Security Continuous Monitoring / DE.CM-1.NM	Network Monitoring: Assess the adequacy of processes to monitor the network for events (e.g., unauthorized personnel and third-party connections).	OCC Bulletin 2015-20 Attachment, page 3 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3 Information Technology, Objective 5, Procedure 4	Information Security Booklet II.C.9 Architecture, Infrastructure and Operations Booklet Appendix A, Objective 13, Procedure 3, part h	Center for Internet Security (CIS) 13.3 13.2 Cyber Risk Institute (CRI) DE.AE-2.1 DE.AE-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.B.1 D3.PC.Im.B.3 D3.PC.Im.E.2 D4.C.Co.Int.4 NIST SP 800-53 r5 SI-4 SI-4 (1) SI-4 (3)	Network Monitoring	Security Continuous Monitoring	DE.CM-1.NM
Detect	Detect / Security Continuous Monitoring / DE.CM-1.NS	Network Monitoring Scope: Assess the effectiveness of the risk management processes that determine the scope and type of implemented monitoring solutions.	OCC Bulletin 2015-20 Attachment, page 3 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 2, Procedure 6 Information Technology, Objective 5, Procedure 3 Information Technology, Objective 5, Procedure 4	Information Security Booklet II.C.9 II.C.9(a) Appendix A, Objective 6, Procedure 4, parts a - c Architecture, Infrastructure and Operations Booklet Appendix A, Objective 13, Procedure 3, part h	Center for Internet Security (CIS) 13.3 Cyber Risk Institute (CRI) DE.AE-2.1 GV.RM-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.Int.7 D1.G.SP.Int.2 D3.PC.Im.B.1 D3.PC.Im.B.3 D3.PC.Im.E.2 NIST SP 800-53 r5 SI-4	Network Monitoring Scope	Security Continuous Monitoring	DE.CM-1.NS
Detect	Detect / Security Continuous Monitoring / DE.CM-2.PA	Physical Asset Controls: Assess effectiveness of controls over the physical facility and technology assets.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3 Information Technology, Objective 6, Procedure 7	Information Security Booklet II.C.8 Appendix A, Objective 6, Procedure 9 Architecture, Infrastructure, and Operations Booklet VI.A.1 Appendix A, Objective 13, Procedure 9, part e	Center for Internet Security (CIS) 1 Cyber Risk Institute (CRI) DE.CM-2.1 DE.CM-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.11 D3.PC.Am.E.4 D3.DC.Ev.B.5 NIST SP 800-53 r5 PE-6 PE-6 (4) PE-22	Physical Asset Controls	Security Continuous Monitoring	DE.CM-2.PA
Detect	Detect / Security Continuous Monitoring / DE.CM-4.AA	Application Anomalous Activity: Evaluate the effectiveness of application-level controls that identify, measure, monitor, manage, and report anomalous activities.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 3	Information Security Booklet II.C.17 II.C.12 Appendix A, Objective 6, Procedure 27, parts a - g Appendix A, Objective 6, Procedure 17 Appendix A, Objective 8, Procedure 4, parts a – e	Center for Internet Security (CIS) 9 9.1 9.4 9.6 9.7 10 10.4 10.7 Cyber Risk Institute (CRI) DE.CM-4.1 DE.CM-4.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.B.4 D3.PC.Im.E.2 D3.DC.Th.B.4 D3.PC.De.E.5 D5.DR.Re.E.3	Application Anomalous Activity	Security Continuous Monitoring	DE.CM-4.AA
Detect	Detect / Security Continuous Monitoring / DE.CM-5.UM	Unauthorized Mobile Code: Evaluate the effectiveness of processes and controls to detect unauthorized mobile code.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 3	Information Security Booklet II.C.12 Appendix A, Objective 6, Procedure 17 Appendix A, Objective 6, Procedure 24, parts b and c	Center for Internet Security (CIS) 10 10.1 10.2 10.4 Cyber Risk Institute (CRI) DE.CM-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.De.E.5 D3.PC.De.E.6 NIST SP 800-53 r5 SC-43 SC-18 (1)	Unauthorized Mobile Code	Security Continuous Monitoring	DE.CM-5.UM
Detect	Detect / Security Continuous Monitoring / DE.CM-7.ST	Shadow IT: Evaluate the adequacy of processes and the effectiveness of detection tools to identify and monitor for shadow IT.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 3 Information Technology, Objective 5, Procedure 3	Architecture, Infrastructure and Operations Booklet III.B.3 Appendix A, Objective 4, Procedure 5, parts a - f Information Security Booklet II.C.13e II.C.12	Center for Internet Security (CIS) 2 1.3 1.5 Cyber Risk Institute (CRI) DE.CM-7.1 DE.CM-7.3 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.E.3 D3.PC.De.E.1 D3.PC.Am.B.16 D3.DC.Ev.B.3 NIST SP 800-53 r5 CM-7 (4) CM-8 (3)	Shadow IT	Security Continuous Monitoring	DE.CM-7.ST
Detect	Detect / Security Continuous Monitoring / DE.CM-8.VS	Vulnerability Scanning: Evaluate the adequacy of the scope, frequency, and effectiveness of the vulnerability scanning process.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet II.A.2 IV.A.2(c) Appendix A, Objective 8, Procedure 1, parts a – d Appendix A, Objective 10, Procedure 1, part a	Center for Internet Security (CIS) 7 7.1 7.5 7.6 Cyber Risk Institute (CRI) DE.CM-8.1 DE.CM-8.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.DC.Th.B.1 D3.DC.Th.A.1 D3.DC.Th.E.5 NIST SP 800-53 r5 RA-5 CA-2 (2) RA-5 (3)	Vulnerability Scanning	Security Continuous Monitoring	DE.CM-8.VS
Detect	Detect / Detection Processes / DE.DP-2.ED	Event Detection Processes: Assess the effectiveness of detection processes, including planning and implementation, personnel, and communication of event information.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3 Information Technology, Objective 5, Procedure 4	Information Security Booklet III.C Appendix A, Objective 8, Procedure 1, part g – j Appendix A, Objective 8, Procedure 4, part a Appendix A, Objective 4, Procedure 1 Business Continuity Management Booklet Appendix A, Objective 8, Procedure 3, parts a - c	Center for Internet Security (CIS) 7 17.1 Cyber Risk Institute (CRI) DE.CM-1.2 DE.DP-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.B.1 D3.PC.Im.B.3 D3.DC.An.E.1 D3.DC.An.Int.2 D4.C.Co.Int.4 NIST SP 800-53 r5 CA-7 IR-4 SI-4	Event Detection Processes	Detection Processes	DE.DP-2.ED
Detect	Detect / Detection Processes / DE.DP-3.ET	Event Detection Testing and Improvement: Assess the adequacy of detection process testing.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 2 Information Technology, Objective 5, Procedure 4 Information Technology, Objective 5, Procedure 9	Information Security Booklet IV.A IV Appendix A, Objective 6, Procedure 5, parts a – c Appendix A, Objective 10, Procedure 3, parts a - d	Center for Internet Security (CIS) 7 17.7 17.8 17.9 Cyber Risk Institute (CRI) DE.DP-3.1 DE.DP-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.RM.Au.B.1 D1.RM.RMP.E.2 D3.DC.Th.B.1 D5.IR.Te.B.1 D5.DR.Re.E.8 NIST SP 800-53 r5 IR-3 (3) CA-2 (2)	Event Detection Testing and Improvement	Detection Processes	DE.DP-3.ET
Respond	Respond / Response Planning / RS.RP-1.RE	Response Plan Execution: Assess effectiveness of processes related to execution of the cybersecurity incident response plan.	OCC Bulletin 2005-13 Attachment, page 15752 OCC Bulletin 2020-94 Attachment, Appendix A OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet III.D Appendix A, Objective 8, Procedure 5, Parts a - h Appendix A, Objective 8, Procedure 6, Parts a - i Architecture, Infrastructure, and Operations Booklet VI.C.4 Appendix A, Objective 16, Procedure 4, Parts a - f Business Continuity Management Booklet V.A V.F.1	Center for Internet Security (CIS) 17.1 17.3 17.8 Cyber Risk Institute (CRI) RS.RP-1.1 RS.CO-2.1 RS.CO-2.2 RS.CO-2.3 RS.CO-2.4 FFIEC Cybersecurity Assessment Tool (CAT) D1.TC.Cu.E.3 D5.IR.Pl.Inn.1 D5.DR.Re.E.1 NIST SP 800-53 r5 IR-4 IR-5 IR-6 IR-8	Response Plan Execution	Response Planning	RS.RP-1.RE
Respond	Respond / Communications/ RS.CO-3.IS	Information Sharing: Assess the appropriateness of strategy and practices to share information with affected staff, industry groups (e.g., Financial Services Information Sharing and Analysis Center (FS-ISAC)), financial sector, regulators, and peers.	OCC Bulletin 2020-94 Attachment	Information Security Booklet III.C Appendix A, Objective 8, question 6, Parts a - c and Part f Business Continuity Management Booklet III.B.1 Appendix A, Objective 7, Procedure 1, Parts a - e Architecture, Infrastructure, and Operations Booklet III.C VI.C.4 Appendix A, Objective 16, Procedure 4, Parts a, b and e	Center for Internet Security (CIS) 17.2 17.5 Cyber Risk Institute (CRI) RS.CO-3.1 RS.CO-3.2 RS.CO-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D2.IS.Is.B.3 D5.ER.Es.B.2 D5.ER.Es.E.2 NIST SP 800-53 r5 PM-16 IR-4 (4) IR-4 (11)	Information Sharing	Communications	RS.CO-3.IS
Respond	Respond / Communications/ RS.CO-4.IC	Incident Coordination: Assess the adequacy of internal and external stakeholder coordination in accordance with the response plan.	OCC Bulletin 2020-94 Attachment, page 9	Information Security Booklet III.D Appendix A, Objective 6, Procedure 25, Parts a - c Appendix A, Objective 8, Procedure 6, Part a – i Architecture, Infrastructure, and Operations Booklet VI.C.4 Appendix A, Objective 16, Procedure 4. Parts a - f Business Continuity Management Booklet IV.B V.F.1 Appendix A, Objective 7, Procedure 1, Parts a - e	Center for Internet Security (CIS) 17.1 17.5 Cyber Risk Institute (CRI) RS.CO-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D2.IS.Is.Int.1 D2.IS.Is.A.1 D5.ER.Es.Int.2 D5.ER.Es.Inn.1 NIST SP 800-53 r5 IR-4 (10) IR-4 (8)	Incident Coordination	Communications	RS.CO-4.IC
Respond	Respond / Communications/ RS.CO-5.II	Incident Information Sharing: Evaluate information sharing arrangements to assess the effectiveness of sharing threats and countermeasures with other external stakeholders in order to support sector-wide situational awareness and response to incidents.	None	Information Security Booklet III.C III.D Business Continuity Management Booklet III.B.1 Appendix A, Objective 7, Procedure 1, Parts a - e	Cyber Risk Institute (CRI) RS.CO-5.1 RS.CO-5.2 FFIEC Cybersecurity Assessment Tool (CAT) D2.IS.Is.E.1 D2.IS.Is.Int.3 NIST SP 800-53 r5 PM-15	Incident Information Sharing	Communications	RS.CO-5.II
Respond	Respond / Analysis / RS.AN-1.NI	Notifications Investigated: Assess the adequacy of the processes to investigate event notifications.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3 Information Technology, Objective 5, Procedure 4	Information Security Booklet III.C II.C.22 Appendix A, Objective 6, Procedure 35, Parts a – d Appendix A, Objective 8, Procedure 5, Parts a – d and Part h	Center for Internet Security (CIS) 8.11 16.3 Cyber Risk Institute (CRI) RS.AN-2.2 NIST SP 800-53 r5 SI-4	Notifications Investigated	Analysis	RS.AN-1.NI
Respond	Respond / Analysis / RS.AN-2.II	Incident Impact: Evaluate the effectiveness of processes that analyze the impact of an incident.	OCC Bulletin 2005-13 Attachment, page 17572 OCC Bulletin 2020-94 Attachment, page 9 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Architecture, Infrastructure, and Operations Booklet VI.C.4 Appendix A, Objective 16, Procedure 4, Part b Information Security Booklet Appendix A, Objective 8, Procedure 1, Parts b - i	Cyber Risk Institute (CRI) RS.AN-2.2 RS.AN-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.Ov.A.5 D5.IR.Te.Int.1 D5.DR.Re.Int.1 D5.ER.Es.E.1	Incident Impact	Analysis	RS.AN-2.II
Respond	Respond / Analysis / RS.AN-3.FI	Forensic Investigation: Assess the adequacy of forensic investigation processes, to include planning, scope, and timeliness.	OCC Bulletin 2005-13 Attachment, page 17572	Information Security Booklet III.C III.D Appendix A, Objective 8, Procedure 1, Part a – f Business Continuity Management Booklet V.F.1	Center for Internet Security (CIS) 8.5 Cyber Risk Institute (CRI) RS.AN-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.CC.Re.Int.3 NIST SP 800-53 r5 IR-4 (11) IR-5 IR-7	Forensic Investigation	Analysis	RS.AN-3.FI
Respond	Respond / Analysis / RS.AN-4.IC	Incident Categorization: Assess the adequacy of criteria to categorize and prioritize incidents.	OCC Bulletin 2020-94 Attachment, Appendix A	Information Security Booklet III.C Appendix A, Objective 8, Procedure 1, Part j Architecture, Infrastructure, and Operations Booklet VI.C.4 Appendix A, Objective 16, Procedure 4, Parts a and b	Center for Internet Security (CIS) 17.9 Cyber Risk Institute (CRI) RS.AN-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.ER.Es.B.4 NIST SP 800-53 r5 IR-6 (2)	Incident Categorization	Analysis	RS.AN-4.IC
Respond	Respond / Analysis / RS.AN-5.VM	Vulnerability Management: Evaluate the effectiveness of processes that receive, analyze, and respond to vulnerabilities.	OCC Bulletin 2020-94 Attachment, page 9 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 3 Information Technology, Objective 5, Procedure 4 Information Technology, Objective 6, Procedure 2	Information Security Booklet III.A IV.A.2 Appendix A, Objective 4, Procedure 2, Parts a – e Appendix A, Objective 4, Procedure 4 Appendix A, Objective 8, Procedure 1, Parts c, d, h and I Appendix A, Objective 8, Procedure 3, Parts a - f Appendix A, Objective 10, Procedure 1, Parts a and c Appendix A, Objective 10, question 3, Part c Architecture, Infrastructure, and Operations Booklet VI.B.3(a) Appendix A, Objective 15, Procedure 3, Part a Business Continuity Management Booklet V.F.1	Center for Internet Security (CIS) 7 16.2 Cyber Risk Institute (CRI) RS.AN-5.1 RS.AN-5.2 RS.AN-5.3 FFIEC Cybersecurity Assessment Tool (CAT) D2.TI.Ti.B.1 D2.TI.Ti.B.2 D2.TI.Th.B.3 D3.DC.Th.B.1 D3.DC.Th.B.2 D3.DC.Th.E.5 D3.DC.Th.A.1 D3.DC.Th.Inn.2 D3.CC.Re.Int.1 NIST SP 800-53 r5 RA-5	Vulnerability Management	Analysis	RS.AN-5.VM
Respond	Respond / Mitigation / RS.MI-1.IC	Incident Containment: Assess the adequacy of incident containment processes to minimize damage from the effects of an incident.	OCC Bulletin 2005-13 Attachment, page 17572 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 2 Information Technology, Objective 6, Procedure 3 Information Technology, Objective 6, Procedure 5	Information Security Booklet III.D Appendix A, Objective 8, Procedure 6, Parts b, h, and i	Center for Internet Security (CIS) 17.2 17.4 Cyber Risk Institute (CRI) RS.MI-1.1 RS.MI-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D5.DR.Re.B.1 D5.DR.Re.E.3 D5.DR.Re.E.4 NIST SP 800-53 r5 IR-4 IR-4 (11)	Incident Containment	Mitigation	RS.MI-1.IC
Respond	Respond / Mitigation / RS.MI-2.IM	Incident Mitigation: Assess the adequacy of incident mitigation processes as defined in the response plan or evidenced during actual incidents.	OCC Bulletin 2005-13 Attachment, page 17572 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet III.D Appendix A, Objective 3, Procedure 2, Part e Architecture, Infrastructure, and Operations Booklet VI.C.4 Appendix A, Objective 8, Procedure 1 Appendix A, Objective 16, Procedure 4, Parts a - c	Center for Internet Security (CIS) 17 Cyber Risk Institute (CRI) RS.MI-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Pl.E.1 D5.IR.Te.A.4 NIST SP 800-53 r5 IR-4 (11)	Incident Mitigation	Mitigation	RS.MI-2.IM
Respond	Respond / Mitigation / RS.MI-3.VM	Vulnerability Mitigation: Assess the adequacy of processes to respond to additional vulnerabilities identified during mitigation.	OCC Bulletin 2005-13 Attachment, page 17572 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 3 Information Technology, Objective 5, Procedure 4	Information Security Booklet II.A.2 Appendix A, Objective 8, Procedure 4, Parts a, and d – f Appendix A, Objective 6, Procedure 15, Part h Appendix A, Objective 4, Procedure 1 Appendix A, Objective 4, Procedure 4 Architecture, Infrastructure, and Operations Booklet Appendix A, Objective 15, Procedure 3	Center for Internet Security (CIS) 7.3 7.4 Cyber Risk Institute (CRI) RS.MI-3.1 RS.MI-3.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.CC.Pa.B.1 D3.CC.Pa.Int.1 D3.CC.Re.E.2 NIST SP 800-53 r5 IR-6 (2) RA-5	Vulnerability Mitigation	Mitigation	RS.MI-3.VM
Respond	Respond / Improvements / RS.IM-1.IR	Incident Response - Lessons Learned: Assess adequacy of processes that analyze and incorporate lessons learned to the Incident Response Plan.	OCC Bulletin 2005-13 Attachment OCC Bulletin 2020-94 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4	Information Security Booklet III.D Appendix A, Objective 9, Procedure 1, Part b Architecture, Infrastructure, and Operations Booklet III.F Appendix A, Objective 8, Procedure 1	Center for Internet Security (CIS) 17.8 Cyber Risk Institute (CRI) RS.IM-2.1 RS.IM-1.1 RS.IM-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Pl.Int.4	Incident Response - Lessons Learned	Improvements	RS.IM-1.IR
Recover	Recover / Recovery Planning / RC.RP-1.RP	Recovery Plan Execution: Evaluate the effectiveness of incident recovery plans and restoration processes, including recovery plan testing.	OCC Bulletin 2020-94 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4 Information Technology, Objective 6 Procedures 1 through 5	Information Security Booklet III.D Appendix A, Objective 8, procedure 6, parts a - i Business Continuity Management Booklet V.F.1 V.B Appendix A, Objective 8, procedure 10, parts a – c	Center for Internet Security (CIS) 11.1 17.4 Cyber Risk Institute (CRI) RC.RP-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Pl.B.1 D5.IR.Pl.B.6 NIST SP 800-53 r5 IR-8 CP-2	Recovery Plan Execution	Recovery Planning	RC.RP-1.RP
Recover	Recover / Improvements/ RC.IM-1.RU	Recovery Plan Updates: Assess if recovery plans and tests are updated to include current threat intelligence, recognize lessons learned, and address issues identified during actual incidents or tests.	OCC Bulletin 2020-94 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 2 Information Technology, Objective 6, Procedure 3	Information Security Booklet III.D Business Continuity Management Booklet VIII VII.E Appendix A, Objective 10, Procedure 30 Appendix A, Objective 11, procedure 1, parts a - k Appendix A, Objective 11, procedure 2, parts a – e Appendix A, Objective 11, procedure 3	Center for Internet Security (CIS) 17.4 17.7 17.8 Cyber Risk Institute (CRI) RC.IM-2.1 RS.MI-3.1 RS.MI-3.2 RS.IM-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Pl.A.3 D5.IR.Te.Int.3 NIST SP 800-53 r5 CP-2 CP-3	Recovery Plan Updates	Improvements	RC.IM-1.RU
Recover	Recover / Communication/ RC.CO-3.RC	Recovery Communications: Evaluate the effectiveness of communication to internal and external stakeholders regarding recovery activities.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 5	Business Continuity Management Booklet IV.B V.F.1 Appendix A, Objective 7, procedure 1, parts a - e Appendix A, Objective 8, procedure 12, parts a - g Appendix A, Objective 8, procedure 13, parts a and d	Center for Internet Security (CIS) 17.2 17.6 Cyber Risk Institute (CRI) RC.CO-1.1 RC.CO-3.1 RC.CO-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D5.ER.Es.Int.3 D5.ER.Es.Inn.1 D5.IR.Pl.Int.1 NIST SP 800-53 r5 IR-4 (15)	Recovery Communications	Communication	RC.CO-3.RC
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-1.AM	Access and Authentication Management Program: Evaluate the effectiveness of the access management processes to implement and administer logical and physical access controls. This includes assessing authentication controls and use of multifactor authentication or similarly strong controls.	OCC Bulletin 2021-36 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3 Information Technology, Objective 5, Procedure 7	Information Security Booklet II.C.7 II.C.7(b) II.C.15 Appendix A, Objectives 6, procedure 21, part e Appendix A, Objective 6, procedure 22, parts a - f Appendix A, Objective 6, procedure 23, parts a and b	Center for Internet Security (CIS) 6 6.2 Cyber Risk Institute (CRI) PR.AC-1.1 PR.AC-1.2 PR.AC-1.3 PR.AC-2.1 PR.AC-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.5 D3.PC.Am.B.6 NIST SP 800-53 r5 AC-2 AC-3	Access and Authentication Management Program	Identity Management, Authentication and Access Control	PR.AC-1.AM
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-3.RA	Remote Access: Evaluate the effectiveness of processes to manage remote access.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 5 Information Technology, Objective 5, Procedure 6	Architecture, Infrastructure, and Operations Booklet III.G Appendix A, Objective 9, procedure 1, parts a - c Information Security Booklet II.C.15(c) Appendix A, Objectives 6, procedure 21, part e Appendix A, Objective 6, procedure 23, parts a and b	Center for Internet Security (CIS) 6.4 Cyber Risk Institute (CRI) PR.AC-3.1 PR.AC-3.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.B.2 D3.PC.Am.B.15 NIST SP 800-53 r5 CM-6 AC-17 IA-2	Remote Access	Identity Management, Authentication and Access Control	PR.AC-3.RA
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-4.EP	Privileged Access: Evaluate the effectiveness of processes to manage accounts with privileged access.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 1 Information Technology, Objective 4, Procedure 6	Information Security Booklet II.C.15 Appendix A, Objective 6, procedure 20, part d	Center for Internet Security (CIS) 6 Cyber Risk Institute (CRI) PR.AC-4.1 PR.AC-4.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.1 D3.PC.Am.B.3 D3.PC.Am.B.4 D3.PC.AM.B.16 D3.PC.Am.E.2 NIST SP 800-53 r5 SC-2 AC-6 (5)	Privileged Access	Identity Management, Authentication and Access Control	PR.AC-4.EP
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-5.NS	Network Segmentation: Evaluate the effectiveness of processes governing network segmentation, including planning and implementation.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4	Information Security Booklet II.C.9 Appendix A, Objective 6, procedure 27, part g Appendix A, Objective 6, procedure 10, part a	Center for Internet Security (CIS) 12.2 Cyber Risk Institute (CRI) PR.AC-5.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.E.1 D3.PC.Im.Int.1 D3.PC.Im.A.1 D4.C.Co.Inn.2 NIST SP 800-53 r5 SC-7 (21) SC-7 (22) SC-2	Network Segmentation	Identity Management, Authentication and Access Control	PR.AC-5.NS
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-6.UI	User Identity: Assess the adequacy of identity verification and management processes.	OCC Bulletin 2021-36 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 1 Information Technology, Objective 4, Procedure 4	Information Security Booklet II.C.15 Appendix A, Objective 6, Procedure 20, parts a - e Management Booklet III.C.2 Appendix A, Objective 12, Procedure 5, parts a – f	Cyber Risk Institute (CRI) PR.AC-1.1 PR.AC-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.5 D3.PC.Am.B.6 NIST SP 800-53 r5 IA-12 IA-2 IA-5	User Identity	Identity Management, Authentication and Access Control	PR.AC-6.UI
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-7.UA	User Authentication: Evaluate the adequacy of processes to manage user authentication practices.	OCC Bulletin 2021-36 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 6 Information Technology, Objective 5, Procedure 3	Information Security Booklet II.C.7(b) II.C.16 Appendix A, Objective 6, procedure 22, part a Appendix A, Objective 6, procedure 27, part f	Center for Internet Security (CIS) 5 6 Cyber Risk Institute (CRI) PR.AC-1.1 PR.AC-1.2 PR.AC-1.3 FFIEC Cybersecurity Assessment Tool (CAT) D1.RM.RA.B.2 D3.PC.Im.B.9 D3.PC.Am.Int.5 D3.PC.Am.Int.6 NIST SP 800-53 r5 IA-2 IA-5	User Authentication	Identity Management, Authentication and Access Control	PR.AC-7.UA
Protect	Protect / Identity Management, Authentication and Access Control / PR.AC-7.DS	Device and System Authentication: Evaluate the adequacy of processes to manage system to system authentication.	OCC Bulletin 2021-36 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3	Information Security Booklet II.C.7(b) II.C.15(b) Appendix A, Objective 6, procedure 22, part a Appendix A, Objective 6, procedure 27, part f	Cyber Risk Institute (CRI) PR.AC-4.3 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.6 D3.PC.Am.B.8 NIST SP 800-53 r5 IA-5 (10)	Device and System Authentication	Identity Management, Authentication and Access Control	PR.AC-7.DS
Protect	Protect / Awareness and Training / PR.AT-1.TA	Training and Awareness: Evaluate the adequacy of information security training and awareness programs.	OCC Bulletin 2021-36 Attachment OCC Bulletin 2005-44 Attachment, page 12 OCC Bulletin 2015-19 Attachment, page 5 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 3, Question 8 Information Technology, Objective 5, Question 8	Information Security Booklet I.B II.C.7(e) II.C.13(e) II.C.15 Appendix A, Objective 2, procedure 5, part l Appendix A, Objective 2, procedure 10, parts c and d Appendix A, Objective 6, procedure 5, parts b and c Appendix A, Objective 6, procedure 8, part f Architecture, Infrastructure, and Operations Booklet Appendix A, Objective 14, procedure 1, part f	Center for Internet Security (CIS) 14.1 14.2 14.4 14.5 Cyber Risk Institute (CRI) PR.AT-1.1 PR.AT-1.2 PR.AT-1.3 PR.AT-2.1 PR.AT-2.2 PR.AT-2.3 PR.AT-3.1 PR.AT-3.2 PR.AT-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.TC.Tr.B.1 D1.TC.Tr.B.2 D1.TC.Tr.B.3 D1.TC.Tr.E.2 D1.TC.Tr.E.3 NIST SP 800-53 r5 AT-2 AT-3	Training and Awareness	Awareness and Training	PR.AT-1.TA
Protect	Protect / Data Security / PR.DS-1.EP	Encryption Practices: Assess the adequacy of processes to plan and implement effective encryption practices for data at rest and data in-transit.	The Interagency Guidelines Establishing Information Security Standards, Part 30, Appendix B Paragraph III.B Paragraph III.C OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3 Information Technology, Objective 5, Procedure 5	Information Security Booklet II.C.19 Appendix A, Objective 6, procedure 23 Appendix A, Objective 6, procedure 27, part f Appendix A, Objective 6, procedure 30 Architecture, Infrastructure, and Operations Booklet III.A.2(a)	Center for Internet Security (CIS) 3.6 3.9 3.10 3.11 Cyber Risk Institute (CRI) PR.DS-1.1 PR.DS-1.2 PR.DS-2.1 PR.DS-2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.13 D3.PC.Am.E.3 D3.PC.AM.Int.7 D3.PC.Am.A.2 D3.PC.Am.A.1 NIST SP 800-53 r5 SC-13 SC-8 AC-19 (5)	Encryption Practices	Data Security	PR.DS-1.EP
Protect	Protect / Data Security / PR.DS-1.KM	Cryptographic Key and Certificate Management: Assess the adequacy of cryptographic key and certificate management processes.	None	Information Security Booklet II.C.19 Appendix A, Objective 6, procedure 30	Cyber Risk Institute (CRI) PR.DS-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.E.5 NIST SP 800-53 r5 SC-12 CM-3 (6)	Cryptographic Key and Certificate Management	Data Security	PR.DS-1.KM
Protect	Protect / Data Security / PR.DS-1.MP	Media Protection: Evaluate the effectiveness of processes to manage electronic media storage, transit, sanitization, and disposal.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 6 Information Technology, Objective 6, Procedure 7	Information Security Booklet II.C.8 II.C.13 II.C.13(c) II.C.13(d) Appendix A, Objective 6, procedure 18, parts a - g Architecture, Infrastructure, and Operations Booklet VI.B.4 VI.B.8 Appendix A, Objective 15, procedure 8, parts a – g	Center for Internet Security (CIS) 3.1 3.5 Cyber Risk Institute (CRI) PR.DS-1.1 PR.DS-1.2 PR.DS-2.1 PR.DS-2.2 PR.DS-3.1 PR.IP-6.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.2 D3.PC.Am.B.11 D3.PC.Am.B.18 D3.PC.De.B.1 NIST SP 800-53 r5 MP-4 MP-5 MP-6	Media Protection	Data Security	PR.DS-1.MP
Protect	Protect / Data Security / PR.DS-1.MM	Mobile Device Management: Assess the adequacy of processes to manage mobile devices used for critical functions or contain confidential data.	None	Architecture, Infrastructure, and Operations Booklet III.H Appendix A, Objective 10, procedure 1, parts a – e Information Security Booklet II.C.15(d) Appendix A, Objectives 6, procedure 24, parts a - c	Center for Internet Security (CIS) 4.10 4.11 4.12 Cyber Risk Institute (CRI) PR.PT-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.14 D3.PC.De.E.6 D3.CC.Re.E.1 D3.PC.De.Int.2 NIST SP 800-53 r5 AC-19	Mobile Device Management	Data Security	PR.DS-1.MM
Protect	Protect / Data Security / PR.DS-5.DL	Data Loss Prevention: Evaluate the effectiveness of processes to minimize or prevent the risk of data loss.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 5	Architecture, Infrastructure and Operations Booklet III.B.3 IV.B Appendix A, Objective 4, procedure 5, part d Information Security Booklet Glossary	Center for Internet Security (CIS) 3.13 Cyber Risk Institute (CRI) PR.IP-4.2 PR.IP-4.3 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.Int.1 D3.PC.Am.Int.3 NIST SP 800-53 r5 SC-7 (10) AU 13 PE-19	Data Loss Prevention	Data Security	PR.DS-5.DL
Protect	Protect / Data Security / PR.DS-4.SC	System Capacity: Assess the adequacy of processes to manage system capacity.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 4 Information Technology, Objective 2, Procedure 6	Architecture, Infrastructure and Operations Booklet VI.B.6 Appendix A, Objective 15, procedure 6, parts a - j Business Continuity Management Booklet Appendix A, Objective 10, procedure 9	Cyber Risk Institute (CRI) PR.DS-4.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.E.4 NIST SP 800-53 r5 CP-2 (2) SC-5 (2) SC-6	System Capacity	Data Security	PR.DS-4.SC
Protect	Protect / Data Security / PR.DS-8.HI	Hardware Integrity: Assess the adequacy of processes that identify and manage hardware integrity.	None	Architecture, Infrastructure, and Operations Booklet VI.B.2 Appendix A, Objective 13, procedure 3, parts c and d Information Security Booklet II.C.10(a) Appendix A, Objective 6, procedure 19, part c	Center for Internet Security (CIS) 4.6 Cyber Risk Institute (CRI) PR.DS-6.1 PR.DS-8.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.A.3 D1.G.IT.Inn.2 D3.PC.De.Int.2 NIST SP 800-53 r5 PE-22 CM-3 (2) CM-7 (9)	Hardware Integrity	Data Security	PR.DS-8.HI
Protect	Protect / Information Protection Processes and Procedures / PR.IP-1.SB	Security Baselines: Assess the adequacy of processes to identify and manage security baselines.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 4, Procedure 3 Information Technology, Objective 5, Procedure 3	Architecture, Infrastructure, and Operations Booklet V.B.1 Appendix A, Objective 13, procedure 3, part c Appendix A, Objective 15, procedure 4, parts a and b Information Security Booklet II.C.10(a) II.C.10(b) II.C.10(c) Appendix A, Objective 6, procedure 12 Appendix A, Objective 6, procedure 13	Center for Internet Security (CIS) 4.1 4.2. Cyber Risk Institute (CRI) PR.IP-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.B.5 D1.G.IT.B.4 D1.G.IT.Int.1 D5.DR.De.B.2 NIST SP 800-53 r5 CM-2 CM-3 PL-10	Security Baselines	Information Protection Processes and Procedures	PR.IP-1.SB
Protect	Protect / Information Protection Processes and Procedures / PR.IP-4.DB	Data Backup: Assess the adequacy of backup strategies and processes to protect data from physical and cyber threats.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 3 Information Technology, Objective 6, Procedure 6	Business Continuity Management Booklet IV IV.A.3 Appendix A, Objective 6, procedure 3, parts a - f Architecture, Infrastructure, and Operations Booklet VI.B.4 Appendix A, Objective 15, procedure 4, parts a and b	Center for Internet Security (CIS) 11.1 11.2 11.3 11.4 11.5 Cyber Risk Institute (CRI) PR.IP-4.1 PR.IP-4.2 PR.IP-9.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Te.E.3 D5.IR.Pl.B.5 D5.IR.Te.E.1 NIST SP 800-53 r5 CP-9 CP-2 (6) CP-3 (1)	Data Backup	Information Protection Processes and Procedures	PR.IP-4.DB
Protect	Protect / Information Protection Processes and Procedures / PR.IP-9.RP	Response Plans: Assess the adequacy of governance and oversight of response plans supporting cybersecurity protection.	OCC Bulletin 2020-94 Attachment, page 3 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 4 Information Technology, Objective 6, Procedure 4 Information Technology, Objective 6, Procedure 5	Information Security Booklet III.D Appendix A, Objective 3, procedure 2, parts a – e Appendix A, Objective 3, procedure 3	Center for Internet Security (CIS) 17.1 17.2 Cyber Risk Institute (CRI) RS.RP-1.1 RS.CO-1.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.SP.B.6 D1.RM.RMP.B.1 D5.ER.Es.B.1 D5.ER.Es.B.2 D5.IR.Pl.E.4 NIST SP 800-53 r5 IR-1 IR-3 (3) IR-4 (11)	Response Plans	Information Protection Processes and Procedures	PR.IP-9.RP
Protect	Protect / Information Protection Processes and Procedures / PR.IP-10.RT	Test Response and Recovery Plans: Assess the adequacy of cybersecurity incident response and recovery plan testing.	OCC Bulletin 2020-94 Attachment, page 3 OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 3	Business Continuity Management Booklet VII Appendix A, Objective 10, procedures 1 - 30 Information Security Booklet Appendix A, Objective 8, procedure 5, parts a - h Appendix A, Objective 8, procedure 6, parts a - i	Center for Internet Security (CIS) 17.7 11.1 Cyber Risk Institute (CRI) PR.IP-10.4 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Te.B.3 D5.IR.Te.A.1 D5.IR.Te.Inn.1 NIST SP 800-53 r5 IR-4 IR-3 IR-3 (3)	Test Response and Recovery Plans	Information Protection Processes and Procedures	PR.IP-10.RT
Protect	Protect / Maintenance / PR.MA-1.MT	Maintenance Tools: Assess the adequacy of processes and tools to maintain IT assets.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 1, Procedure 5 Information Technology, Objective 2, Procedure 6 Information Technology, Objective 4, Procedure 3	Architecture, Infrastructure, Operations Booklet VI.B.1 Appendix A, Objective 15, procedure 1, parts a – i	Center for Internet Security (CIS) 1.1 2.1 Cyber Risk Institute (CRI) PR.MA-1.1 PR.MA-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.RM.Au.B.3 D3.PC.Im.B.8 D3.CC.Re.Int.5 D3.CC.Re.Int.6 NIST SP 800-53 r5 MA-2 MA-3 MA-5	Maintenance Tools	Maintenance	PR.MA-1.MT
Protect	Protect / Protective Technology / PR.PT-1.LM	Log Management: Assess the adequacy of processes to manage audit and system logs.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 2, Procedure 6 Information Technology, Objective 4, Procedure 2 Information Technology, Objective 5, Procedure 4	Information Security Booklet II.C.22 Appendix A, Objective 6, procedure 21, parts b, f, and g Appendix A, Objective 6, procedure 35, parts a – d	Center for Internet Security (CIS) 8.1 8.2 8.5 8.11 13 13.1 Cyber Risk Institute (CRI) DE.CM-1.1 DE.CM-1.2 PR.PT-1.1 PR.PT-1.2 FFIEC Cybersecurity Assessment Tool (CAT) D1.RM.Au.B.3 D2.MA.Ma.B.1 D2.MA.Ma.B.2 D3.DC.An.B.3 NIST SP 800-53 r5 AU-12 SI-4	Log Management	Protective Technology	PR.PT-1.LM
Protect	Protect / Protective Technology / PR.PT-2.RM	Removable Media: Evaluate the processes to manage removable media and portable devices.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3	Information Security Booklet II.C.15(a) II.C.13(a) Appendix A, Objective 6, procedure 18, part a Appendix A, Objective 6, procedure 21, part d	Center for Internet Security (CIS) 3.9 4.0 4.10 4.11 10.3 10.4 Cyber Risk Institute (CRI) PR.PT-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.14 D3.PC.De.B.1 D3.PC.De.E.4 NIST SP 800-53 r5 MP-7	Removable Media	Protective Technology	PR.PT-2.RM
Protect	Protect / Protective Technology / PR.PT-2.DS	Data Disposal and Device Sanitization: Assess the adequacy of processes to manage data disposal and device sanitization.	12 CFR 30 Appendix B (GLBA): II Standards for information security (B 4) OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3	Information Security Booklet II.C.13(c) Appendix A, Objective 6, procedure 18, part e Architecture, Infrastructure, Operations Booklet VI.B.8 Appendix A, Objective 15, procedure 8, parts a – f	Center for Internet Security (CIS) 3.1 3.5 Cyber Risk Institute (CRI) PR.DS-3.1 PR.IP-6.1 PR.PT-2.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.18 NIST SP 800-53 r5 MP-6 MP-7 (2)	Data Disposal and Device Sanitization	Protective Technology	PR.PT-2.DS
Protect	Protect / Protective Technology / PR.PT-3.LF	Least Functionality: Assess the adequacy of processes for configuring systems and components based on the principle of least functionality.	OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 5, Procedure 3	Information Security Booklet II.C.10(b) II.C.10(c) Appendix A, Objective 6, procedure 13 Architecture, Infrastructure and Operations Booklet VI.B.2 Appendix A, Objective 6, procedure 14 Appendix A, Objective 12, procedure 6, parts a and b	Center for Internet Security (CIS) 4.8 12.2 16.10 Cyber Risk Institute (CRI) PR.PT-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Im.B.6 NIST SP 800-53 r5 CM-7 SA-8 (2)	Least Functionality	Protective Technology	PR.PT-3.LF
Protect	Protect / Protective Technology / PR.PT-5.CR	Operational Resilience: Network and Communications Resilience: Assess the adequacy of network and communications resiliency.	OCC Bulletin 2020-94 Attachment OCC Comptroller’s Handbook: Community Bank Supervision Information Technology, Objective 6, Procedure 3 Information Technology, Objective 6, Procedure 4 Information Technology, Objective 6, Procedure 5	Business Continuity Management Booklet IV.A IV.A.1 IV.A.2 IV.A.3 Appendix A, Objective 6, procedure 3, part e Appendix A, Objective 6, procedure 6, part a – i Information Security Booklet Appendix A, Objective 7, procedure 1	Center for Internet Security (CIS) 17.6 Cyber Risk Institute (CRI) PR.DS-4.1 PR.PT-5.1 DM.BE-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Pl.A.2 NIST SP 800-53 r5 PE-18 SC-7 CP-11	Operational Resilience	Protective Technology	PR.PT-5.CR
Protect	Protect / Protective Technology / PR.PT-5.FS	Fail Secure: Assess the processes to implement fail secure controls.	None	Business Continuity Management Booklet IV.B Appendix A, Objective 7, procedure 1 Information Security Booklet II.C.4 Appendix A, Objective 7, procedure 1 Architecture, Infrastructure, and Operations Booklet Appendix A, Objective 13, procedure 1 Appendix A, Objective 13, procedure 3, part m	Center for Internet Security (CIS) 11.1 4.1 Cyber Risk Institute (CRI) PR.PT-5.1 DM.BE-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D5.IR.Pl.A.2 NIST SP 800-53 r5 SI-17	Fail Secure	Protective Technology	PR.PT-5.FS
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.DG	Development Governance: Evaluate the effectiveness of processes governing in-house software development to ensure cybersecurity is considered at all phases.	None	Information Security Booklet II.C.17 Architecture, Infrastructure, and Operations Booklet III.D.1 V.C.1 V.C.3 VII.D Appendix A, Objective 13, procedure 5, part a, subpart ii	NIST SP 800-53 r5 SA-3 SA-8-30 SA-15-5	Development Governance	Secure Software Development	SA.SD-1.DG
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.SC	Secure Coding: Evaluate the effectiveness of processes and standards that enable secure coding practices.	OCC Bulletin 2008-16	Information Security Booklet II.C.17 IV.A.1 Architecture, Infrastructure, and Operations Booklet V.C.2(c) Appendix A, Objective 13, procedure 7, part a	NIST SP 800-53 r5 SA-3 SA-8 SA-11 SA-15-2	Secure Coding	Secure Software Development	SA.SD-1.SC
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.CR	Code Review: Evaluate the effectiveness of processes to review code for vulnerabilities and security weaknesses prior to release. Consider the criticality or sensitivity of the data.	OCC Bulletin 2008-16	Information Security Booklet II.C.17 IV.A.1 Architecture, Infrastructure, and Operations Booklet Appendix A, Objective 13, procedure 6, parts g i - iv	Center for Internet Security (CIS) 16.1 Cyber Risk Institute (CRI) PR.IP-12.1 PR.IP-12.2 FFIEC Cybersecurity Assessment Tool (CAT) D3.DC.Th.E.5 NIST SP 800-53 r5 SA-8 SA-11 SA-15-2	Code Review	Secure Software Development	SA.SD-1.CR
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.NP	NPPI: Evaluate the effectiveness of controls in place to protect nonpublic personal information in test environments.	None	Architecture, Infrastructure, and Operations Booklet III.A.3 Appendix A, Objective 3, procedure 8, parts a – d	Cyber Risk Institute (CRI) PR.DS-7.1 FFIEC Cybersecurity Assessment Tool (CAT) D3.PC.Am.B.10 D3.PC.Am.E.3 NIST SP 800-53 r5 SA-3-2	NPPI	Secure Software Development	SA.SD-1.NP
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.SO	Source Code: Evaluate the effectiveness of processes in place to protect and restrict access to source code.	None	Architecture, Infrastructure, and Operations Booklet III.D III.D.1	Center for Internet Security (CIS) 16.1 NIST SP 800-53 r5 SA-10	Source Code	Secure Software Development	SA.SD-1.SO
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.EC	Emergency Change: Evaluate the effectiveness of processes associated with implementing emergency changes to ensure cybersecurity is considered.	None	Architecture, Infrastructure, and Operations Booklet III.D III.D.1	Center for Internet Security (CIS) 16.1 Cyber Risk Institute (CRI) PR.IP-3.1 FFIEC Cybersecurity Assessment Tool (CAT) D1.G.IT.B.4	Emergency Change	Secure Software Development	SA.SD-1.EC
Specialty Area	Specialty Area / Secure Software Development / SA.SD-1.MV	Manage Vulnerabilities in Code: Assess the adequacy of tools or practices to identify and remediate code vulnerabilities or code that is noncompliant with internal security standards.	OCC Bulletin 2008-16	Information Security Booklet II.C.17 IV.A.1 Architecture, Infrastructure, and Operations Booklet Appendix A, Objective 13, procedure 6, part g, subparts i - vi	Center for Internet Security (CIS) 16.1 Cyber Risk Institute (CRI) PR.IP-12.1	Manage Vulnerabilities in Code	Secure Software Development	SA.SD-1.MV

More Information About CSW Cross-References

The CSW Cross-References table above offers several columns of information. Select the sections below to learn more about what is displayed under each column.

The CSW is structured according to the five National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) functions’ 23 categories. The OCC developed an additional function, Specialty Areas, to address areas of risk that support OCC cybersecurity assessments, where applicable.

The figure below shows how NIST aligns the categories under each function. The OCC developed Specialty Areas that are not included in this figure.

Identify	Protect	Detect	Respond	Recover
IT Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Risk Management	Data Security Identity Management Authentication, and Access Control Awareness and Training Information Protection Processes and Procedures Maintenance Protective Technology	Anomalies and Events Security Continuous Monitoring Detection Processes	Communications Response Planning Analysis Mitigation Improvements	Recovery Planning Recovery Improvements Recovery Communications

The CSW does not include NIST-CSF subcategories that are addressed as part of other examination programs or subcategories that do not apply to the OCC bank information technology supervision process.

The unique ID identifies the procedure and its hierarchy. Unique IDs are structured using a hierarchy of NIST-CSF functions, categories, and subcategories. The OCC added two characters at the end to designate the specific procedure. See the figure pictured below.

Unique ID

During supervisory activities, examiners use the procedures to guide their reviews and evaluations of cybersecurity preparedness.

OCC Resources, FFIEC IT Examination Handbook InfoBase, Industry Frameworks

The table provides cross-references that map CSW procedures to existing supervisory guidance and industry frameworks. The cross-references are provided for informational purposes only; inclusion of products, processes, services, manufacturers, or companies in the CSW is not indicative of an OCC endorsement.

Cybersecurity Supervision Work Program References

CSW Cross-References

Select the Function of the scope of the cybersecurity activity:

Apply one or more filters to narrow your results: (Optional)

More Information About CSW Cross-References

OCC Resources, FFIEC IT Examination Handbook InfoBase, Industry Frameworks

Cybersecurity Supervision Work Program References

CSW Cross-References

Select the Function of the scope of the cybersecurity activity:

Apply one or more filters to narrow your results: (Optional)

More Information About CSW Cross-References

Function / Category / Unique ID Show

Procedure Show

Cross-References Show

OCC Resources, FFIEC IT Examination Handbook InfoBase, Industry Frameworks