1. Home
  2. About
  3. Methodology
  4. CRI Profile Mapping Scope

The CRI Profile MAPPING SCOPE

Scope Overview

Scoping decisions for mapping The CRI Profile diagnostic statements are documented below. These scoping decisions were used for diagnostic statement review and selection for mapping according to the Mapping Methodology.

General Scoping Decisions

Operational vs. Policy and Procedural Controls
This effort is focused on the technical and operational elements of The CRI Profile and did not take into account the management elements that are often focused on organization specific policies and procedures. This decision was made because management specific capabilities are policy-based, and the intent of this effort was focusing on technical and operation capabilities that correlate to ATT&CK mitigations, techniques, and sub-techniques.
Mitigation vs. Monitoring
Capabilities that may only monitor adversary behaviors are out of scope. The focus of this effort is on technical capabilities that mitigate adversary techniques and sub-techniques. Consideration is not given for the potential that an adversary might be dissuaded or change their tactics to try and avoid detection if they thought activity was being monitored.
Diagnostic Statements vs. Function, Category, and Subcategory
This effort maps at the diagnostic statement level and does not map at the function, category, or subcategory level, although consideration was given to each diagnostic statement's grouping by function, category, and subcategory.
Implicit vs. Explicit Mitigation
This effort focuses on system-specific technical mitigations (e.g., block USB devices, perform data backups) and capabilities that support those mitigations rather than other, non-technical methods of mitigation (e.g., block physical access to systems, develop a backup policy).
Pre-compromise Mitigation
Those techniques only associated with the Pre-compromise Mitigation are excluded. These apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques, and are considered out of scope.

Diagnostic Statement Scoping Decisions

The CRI Profile scoping decisions are captured below at the function and category level along with our rationale for diagnostic statements in those categories being in or out of scope:

Function: Category In Scope Rationale
Govern: Organizational Context (GV.OC) No Management elements for establishing organizational circumstances are not in scope.
Govern: Risk Management Strategy (GV.RM) No Management elements for organizational strategies are not in scope.
Govern: Roles, Responsibilities, and Authorities (GV.RR) No Management elements focused on organization specific roles, responsibilities, and authorities are not in scope.
Govern: Policies, Processes, and Procedures (GV.PO) No Management elements focused on organization specific policies and procedures are not in scope.
Govern: Oversight (GV.OV) No Management elements for organizational strategy are not in scope.
Govern: Supply Chain Risk Management (GV.SC) No Management elements focused on organization specific policies and procedures are not in scope.
Govern: Independent Risk Management Function (GV.IR) No Management elements for establishing organizational guidelines are not in scope.
Govern: Independent Audit Function (GV.AU) No Management elements for establishing organizational guidelines are not in scope.
Identify: Asset Management (ID.AM) Partial Diagnostic statements involving operational and technical controls for data protection and lifecycle management are in scope.
Identify: Risk Assessment (ID.RA) Partial Diagnostic statements for remediation of identified vulnerabilities before implementation or following changes are in scope.
Identify: Improvement (ID.IM) Partial Diagnostic statements providing operational and technical controls for data protection are in scope.
Protect: Identity Management, Authentication, and Access Control (PR.AA) Partial Diagnostic statements providing operational and technical controls for identification and authentication of network and system users and devices are in scope.
Protect: Awareness and Training (PR.AT) No Awareness and training activities are not applicable as they are for general security awareness training and not specific threat mitigations.
Protect: Data Security (PR.DS) Yes Diagnostic statements providing operational and technical controls for data protection are in scope.
Protect: Platform Security (PR.PS) Partial Diagnostic statements providing operational and technical controls for hardware, software, and systems are in scope.
Protect: Technology Infrastructure Resilience (PR.IR) Partial Diagnostic statements providing operational and technical controls for hardware, software, and systems are in scope.
Detect: Continuous Monitoring (DE.CM) Partial Diagnostic statements providing operational and technical controls for protecting assets are in scope.
Detect: Adverse Event Analysis (DE.AE) No Incident analysis elements are not applicable as they do not provide mitigations of specific threats but rather provide actions for detected security incident occurrences.
Respond: Incident Management (RS.MA) No Response elements are not applicable as they do not provide mitigations of specific threats but rather provide actions for detected security incident occurrences.
Respond: Incident Analysis (RS.AN) No Response elements are not applicable as they do not provide mitigations of specific threats but rather provide actions for detected security incident occurrences.
Respond: Incident Response Reporting and Communication (RS.CO) No Response elements are not applicable as they do not provide mitigations of specific threats but rather provide actions for detected security incident occurrences.
Respond: Incident Mitigation (RS.MI) No Response elements are not applicable as they do not provide mitigations of specific threats but rather provide actions for detected security incident occurrences.
Recover: Incident Recovery Plan Execution (RC.RP) No Recover elements are not applicable as they do not provide mitigations of specific threats but rather provide restoration actions after security incident occurrences.
Recover: Incident Recovery Communication (RC.CO) No Recover elements are not applicable as they do not provide mitigations of specific threats but rather provide restoration actions after security incident occurrences.
Extend: Procurement Planning and Due Diligence (EX.DD) Partial Diagnostic statements providing operational and technical controls for third-party systems and software are in scope.
Extend: Third-Party Contracts and Agreements (EX.CN) No Management elements focused on organization specific policies and procedures are not in scope.
Extend: Monitoring and Managing Suppliers (EX.MM) Partial Diagnostic statements providing operational and technical controls for third-party systems and software are in scope.
Extend: Relationship Termination (EX.TR) No Management elements focused on organization specific policies and procedures are not in scope.