Control Framework Mappings

Last updated: 2026-01-13

Control Framework Mappings

Gray Ghost Data Consultants aligns our security controls with industry-recognized frameworks to ensure comprehensive coverage and enable easier compliance assessments for our clients.

NIST Cybersecurity Framework (CSF)

We have mapped our controls to the NIST CSF core functions:

Identify (ID)

SubcategoryControlStatus
ID.AM-1Physical devices and systems inventoried✅ Implemented
ID.AM-2Software platforms and applications inventoried✅ Implemented
ID.AM-3Data flows mapped✅ Implemented
ID.AM-4External information systems catalogued✅ Implemented
ID.BE-1Organization's role in supply chain identified✅ Implemented
ID.GV-1Security policy established✅ Implemented
ID.GV-2Cybersecurity roles coordinated with internal roles✅ Implemented
ID.RA-1Asset vulnerabilities identified and documented✅ Implemented
ID.RA-5Threats and vulnerabilities used for risk assessment✅ Implemented
ID.RM-1Risk management processes established✅ Implemented

Protect (PR)

SubcategoryControlStatus
PR.AC-1Identities and credentials managed✅ Implemented
PR.AC-2Physical access managed✅ Implemented
PR.AC-3Remote access managed✅ Implemented
PR.AC-4Access permissions managed (least privilege)✅ Implemented
PR.AC-5Network integrity protected✅ Implemented
PR.AT-1Users informed and trained✅ Implemented
PR.DS-1Data-at-rest protected✅ Implemented
PR.DS-2Data-in-transit protected✅ Implemented
PR.DS-5Protections against data leaks implemented✅ Implemented
PR.IP-1Configuration management implemented✅ Implemented
PR.IP-9Response and recovery plans in place✅ Implemented
PR.IP-12Vulnerability management plan developed✅ Implemented

Detect (DE)

SubcategoryControlStatus
DE.AE-1Baseline of network operations established✅ Implemented
DE.AE-2Detected events analyzed✅ Implemented
DE.AE-3Event data aggregated and correlated✅ Implemented
DE.CM-1Network monitored for security events✅ Implemented
DE.CM-4Malicious code detected✅ Implemented
DE.CM-7Monitoring for unauthorized activity✅ Implemented
DE.CM-8Vulnerability scans performed✅ Implemented
DE.DP-4Event detection communicated✅ Implemented

Respond (RS)

SubcategoryControlStatus
RS.RP-1Response plan executed✅ Implemented
RS.CO-1Personnel know their roles✅ Implemented
RS.CO-2Incidents reported✅ Implemented
RS.CO-3Information shared✅ Implemented
RS.AN-1Notifications from detection systems investigated✅ Implemented
RS.AN-2Impact of incidents understood✅ Implemented
RS.MI-1Incidents contained✅ Implemented
RS.MI-2Incidents mitigated✅ Implemented
RS.IM-1Response plans incorporate lessons learned✅ Implemented

Recover (RC)

SubcategoryControlStatus
RC.RP-1Recovery plan executed✅ Implemented
RC.IM-1Recovery plans incorporate lessons learned✅ Implemented
RC.CO-1Public relations managed✅ Implemented
RC.CO-3Recovery activities communicated✅ Implemented

CIS Controls v8

We implement CIS Controls at Implementation Group 1 and 2 levels:

Implementation Group 1 (Essential)

ControlDescriptionStatus
1Inventory and Control of Enterprise Assets
2Inventory and Control of Software Assets
3Data Protection
4Secure Configuration
5Account Management
6Access Control Management
7Continuous Vulnerability Management
8Audit Log Management
9Email and Web Browser Protections
10Malware Defenses
11Data Recovery
14Security Awareness Training
17Incident Response Management

Implementation Group 2 (Foundational)

ControlDescriptionStatus
12Network Infrastructure Management
13Network Monitoring and Defense
15Service Provider Management
16Application Software Security
18Penetration Testing

Control Evidence

For compliance assessments, we can provide evidence for each control including:

  • Policy documentation
  • Technical configurations
  • Screenshots and reports
  • Audit logs
  • Third-party assessment reports

Contact security@grayghostdata.com to request control evidence for your compliance needs.