The NIST 2.0 Cybersecurity Framework
Practical Risk Management using Real-World Incidents
1st Edition
Published on 21. April 2026
Book
Hardback
208 pages
978-1-394-35218-0 (ISBN)
Description
Learn to identify, protect, defend, and recover from cyber incidents
The NIST 2.0 Cybersecurity Framework delivers clear guidance on applying the gold standard NIST framework in complex, real-world situations. Drawing on her extensive cybersecurity research and reporting, author Cynthia Brumfield explains how to identify risks, defend against threats, and recover from incidents using compelling case studies.
The book examines high-profile incidents, including Microsoft's Midnight Blizzard attack, the Ticketmaster data breach, and the Columbus ransomware incident, to illustrate NIST functions, and inform readers on how to create asset inventories, implement protective measures, detect suspicious activity, respond to incidents, and establish governance policies. Each chapter provides implementation examples, references, and demystification of NIST framework controls for securing assets and managing risks.
The book includes:
Real-world case studies from Microsoft, Ticketmaster, MGM Resorts and Caesars Entertainment, and other organizations that illustrate practical applications of the NIST framework
Implementation guidance covering all six NIST functions: Identify, Protect, Detect, Respond, Recover, and Govern
Chapter summaries and quizzes that reinforce learning objectives and help readers assess their understanding
Clear and concise explanations of how to achieve the outcomes articulated across the NIST categories and subcategories
Whether you're a student, organizational decision-maker, IT professional, public or private cybersecurity worker, or government contractor, this book provides the practical knowledge needed to implement the NIST 2.0 Framework effectively. You'll learn from real-world failures and successes to build a robust cybersecurity program.
The NIST 2.0 Cybersecurity Framework delivers clear guidance on applying the gold standard NIST framework in complex, real-world situations. Drawing on her extensive cybersecurity research and reporting, author Cynthia Brumfield explains how to identify risks, defend against threats, and recover from incidents using compelling case studies.
The book examines high-profile incidents, including Microsoft's Midnight Blizzard attack, the Ticketmaster data breach, and the Columbus ransomware incident, to illustrate NIST functions, and inform readers on how to create asset inventories, implement protective measures, detect suspicious activity, respond to incidents, and establish governance policies. Each chapter provides implementation examples, references, and demystification of NIST framework controls for securing assets and managing risks.
The book includes:
Real-world case studies from Microsoft, Ticketmaster, MGM Resorts and Caesars Entertainment, and other organizations that illustrate practical applications of the NIST framework
Implementation guidance covering all six NIST functions: Identify, Protect, Detect, Respond, Recover, and Govern
Chapter summaries and quizzes that reinforce learning objectives and help readers assess their understanding
Clear and concise explanations of how to achieve the outcomes articulated across the NIST categories and subcategories
Whether you're a student, organizational decision-maker, IT professional, public or private cybersecurity worker, or government contractor, this book provides the practical knowledge needed to implement the NIST 2.0 Framework effectively. You'll learn from real-world failures and successes to build a robust cybersecurity program.
More details
Language
English
Place of publication
New York
United States
Target group
College/higher education
Professional and scholarly
Product notice
sewn/stitched
Cloth over boards
Dimensions
Height: 252 mm
Width: 180 mm
Thickness: 20 mm
Weight
567 gr
ISBN-13
978-1-394-35218-0 (9781394352180)
Copyright in bibliographic data and cover images is held by Nielsen Book Services Limited or by the publishers or by their respective licensors: all rights reserved.
Schweitzer Classification
Other editions
Additional editions
Cynthia Brumfield
The NIST 2.0 Cybersecurity Framework
Practical Risk Management using Real-World Incidents
E-Book
04/2026
1st Edition
Wiley
€84.99
Available for download
Cynthia Brumfield
The NIST 2.0 Cybersecurity Framework
Practical Risk Management using Real-World Incidents
E-Book
04/2026
1st Edition
Wiley
€84.99
Available for download
Person
CYNTHIA BRUMFIELD is a veteran technology and communications industry writer, analyst, and publisher who now focuses exclusively on cybersecurity. She publishes a leading cybersecurity news destination, Metacurity.com, and is the author of Cybersecurity Risk Management. She has also written extensively for cybersecurity publications including CSO Online and Cyberscoop. Her work has won numerous AZBEE awards from the American Society of Business Publication Editors and The Folio: Eddie & Ozzie Awards.
Content
Foreword xvii
Acknowledgements xix
1 Overview of Risk Management and the NIST Cybersecurity Framework 1
1.1 Brief Overview of Risk Management Principles 1
1.1.1 The Core Journey of Risk Management 2
1.1.1.1 Identify Risks 2
1.1.1.2 Analyze and Evaluate Risks 2
1.1.1.3 Control and Mitigate Risks 2
1.1.1.4 Monitor and Review Risks 2
1.1.2 Cultivating a Resilient Organization 3
1.2 Background on the NIST Cybersecurity Framework 3
1.2.1 Six Basic Functions 4
1.2.1.1 Identify (ID) 4
1.2.1.2 Protect (PR) 5
1.2.1.3 Detect (DE) 5
1.2.1.4 Respond (RS) 5
1.2.1.5 Recover (RC) 6
1.2.1.6 Govern (GV) 6
1.2.2 Overview of Additional CSF Core Elements 6
1.2.2.1 Categories 6
1.2.2.2 Subcategories 6
1.2.2.3 Implementation Examples 7
1.2.2.4 Informative References 7
1.2.3 Other Vital Elements of the CSF 8
1.2.3.1 Framework Profiles 8
1.2.3.2 Implementation Tiers 8
1.2.4 How the NIST Framework Jives with the Parkerian Hexad 9
2 NIST Function Identify 11
2.1 IDENTIFY (ID): The Organization's Current Cybersecurity Risks Are Understood 12
2.1.1 Asset Management (ID.AM): Assets (e.g., Data, Hardware, Software, Systems, Facilities, Services, People) That Enable the Organization to Achieve Business Purposes Are Identified and Managed Consistently with Their Relative Importance to Organizational Objectives and the Organization's Risk Strategy 12
2.1.1.1 ID.AM-01: Inventories of Hardware Managed by the Organization Are Maintained 13
2.1.1.2 ID.AM-02: Inventories of Software, Services, and Systems Managed by the Organization Are Maintained 14
2.1.1.3 ID.AM-03: Representations of the Organization's Authorized Network Communication and Internal and External Network Data Flows Are Maintained 15
2.1.1.4 ID.AM-04: Inventories of Services Provided by Suppliers Are Maintained 16
2.1.1.5 ID.AM-05: Assets Are Prioritized Based on Classification, Criticality, Resources, and Impact on the Mission 17
2.1.1.6 ID.AM-07: Inventories of Data and Corresponding Metadata for Designated Data Types Are Maintained (Note ID.AM-06 Is Now Incorporated into GV.RR-02, GV.SC-02) 18
2.1.1.7 ID.AM-08: Systems, Hardware, Software, Services, and Data Are Managed Throughout Their Life Cycles 19
2.1.2 Risk Assessment (ID.RA): The Cybersecurity Risk to the Organization, Assets, and Individuals Is Understood by the Organization 21
2.1.2.1 ID.RA-01: Vulnerabilities in Assets Are Identified, Validated, and Recorded 22
2.1.2.2 ID.RA-02: Cyber Threat Intelligence Is Received from Information-sharing Forums and Sources 23
2.1.2.3 ID.RA-03: Internal and External Threats to the Organization Are Identified and Recorded 24
2.1.2.4 ID.RA-04: Potential Impacts and Likelihoods of Threats Exploiting Vulnerabilities Are Identified and Recorded 25
2.1.2.5 ID.RA-05: Threats, Vulnerabilities, Likelihoods, and Impacts Are Used to Understand Inherent Risk and Inform Risk Response Prioritization 26
2.1.2.6 ID.RA-06: Risk Responses Are Chosen, Prioritized, Planned, Tracked, and Communicated 27
2.1.2.7 ID.RA-07: Changes and Exceptions Are Managed, Assessed for Risk Impact, Recorded, and Tracked 29
2.1.2.8 ID.RA-08: Processes for Receiving, Analyzing, and Responding to Vulnerability Disclosures Are Established 30
2.1.2.9 ID.RA-09: The Authenticity and Integrity of Hardware and Software Are Assessed Before Acquisition and Use 31
2.1.2.10 ID.RA-10: Critical Suppliers Are Assessed Before Acquisition 32
2.1.3 Improvement (ID.IM): Improvements to Organizational Cybersecurity Risk Management Processes, Procedures, and Activities Are Identified Across All CSF Functions 33
2.1.3.1 ID.IM-01: Improvements Are Identified from Evaluations 34
2.1.3.2 ID.IM-02: Improvements Are Identified from Security Tests and Exercises, Including Those Done in Coordination with Suppliers and Relevant Third Parties 36
2.1.3.3 ID.IM-03: Improvements Are Identified from the Execution of Operational Processes, Procedures, and Activities 38
2.1.3.4 ID.IM-04: Incident Response Plans and Other Cybersecurity Plans That Affect Operations Are Established, Communicated, Maintained, and Improved 40
Chapter Summary 41
Chapter Quiz 41
Bibliography 42
3 NIST Function Protect 43
3.1 Protect: Safeguards to Manage the Organization's Cybersecurity Risks Are Used 44
3.1.1 Identity Management, Authentication, and Access Control (PR.AA)-Access to Physical and Logical Assets Is Limited to Authorized Users, Services, and Hardware and Managed Commensurate with the Assessed Risk of Unauthorized Access 44
3.1.1.1 PR.AA-01: Identities and Credentials for Authorized Users, Services, and Hardware Are Managed 45
3.1.1.2 PR.AA-02: Identities Are Proofed and Bound to Credentials Based on the Context of Interactions 46
3.1.1.3 PR.AA-03: Users, Services, and Hardware Are Authenticated 47
3.1.1.4 PR.AA-04: Identity Assertions Are Protected, Conveyed, and Verified 49
3.1.1.5 PR.AA-05: Access Permissions, Entitlements, and Authorizations Are Defined in a Policy, Managed, Enforced, and Reviewed, and Incorporate the Principles of Least Privilege and Separation of Duties 50
3.1.1.6 PR.AA-06: Physical Access to Assets Is Managed, Monitored, and Enforced Commensurate with Risk 52
3.1.2 Awareness and Training (PR.AT): The Organization's Personnel Are Provided with Cybersecurity Awareness and Training So That They Can Perform Their Cybersecurity-related Tasks 54
3.1.2.1 PR.AT-01: Personnel Are Provided with Awareness and Training So That They Possess the Knowledge and Skills to Perform General Tasks with Cybersecurity Risks in Mind 54
3.1.2.2 PR.AT-02: Individuals in Specialized Roles Are Provided with Awareness and Training So That They Possess the Knowledge and Skills to Perform Relevant Tasks with Cybersecurity Risks in Mind 56
3.1.3 Data Security (PR.DS): Data Are Managed Consistently with the Organization's Risk Strategy to Protect the Confidentiality, Integrity, and Availability of Information 57
3.1.3.1 PR.DS-01: The Confidentiality, Integrity, and Availability of Data-at-rest Are Protected 58
3.1.3.2 PR.DS-02: The Confidentiality, Integrity, and Availability of Data-in-transit Are Protected 60
3.1.3.3 PR.DS-10: The Confidentiality, Integrity, and Availability of Data-in-use Are Protected. (PR.DS-03: [Withdrawn: Incorporated into ID.AM-08, PR.PS-03], PR.DS-04: [Withdrawn: Moved to PR.IR-04], PR.DS-05: [Withdrawn: Incorporated into PR.DS-01, PR.DS-02, PR.DS-10], PR.DS-06: [Withdrawn: Incorporated into PR.DS-01, DE.CM-09], PR.DS-07: [Withdrawn: Incorporated into PR.IR-01], PR.DS-08: [Withdrawn: Incorporated into ID.RA-09, DE.CM-09]) 62
3.1.3.4 PR.DS-11: Backups of Data Are Created, Protected, Maintained, and Tested 63
3.1.4 Platform Security (PR.PS): The Hardware, Software (e.g., Firmware, Operating Systems, Applications), and Services of Physical and Virtual Platforms Are Managed Consistent with the Organization's Risk Strategy to Protect Their Confidentiality, Integrity, and Availability 65
3.1.4.1 PR.PS-01: Configuration Management Practices Are Established and Applied 65
3.1.4.2 PR.PS-02: Software Is Maintained, Replaced, and Removed Commensurate with Risk 67
3.1.4.3 PR.PS-03: Hardware Is Maintained, Replaced, and Removed Commensurate with Risk 68
3.1.4.4 PR.PS-04: Log Records Are Generated and Made Available for Continuous Monitoring 70
3.1.4.5 PR.PS-05: Installation and Execution of Unauthorized Software Are Prevented 71
3.1.4.6 PR.PS-06: Secure Software Development Practices Are Integrated, and Their Performance Is Monitored Throughout the Software Development Life Cycle 72
3.1.5 Technology Infrastructure Resilience (PR.IR): Security Architectures Are Managed with the Organization's Risk Strategy to Protect Asset Confidentiality, Integrity, and Availability, and Organizational Resilience 74
3.1.5.1 PR.IR-01: Networks and Environments Are Protected from Unauthorized Logical Access and Usage 75
3.1.5.2 PR.IR-02: The Organization's Technology Assets Are Protected from Environmental Threats 76
3.1.5.3 PR.IR-03: Mechanisms Are Implemented to Achieve Resilience Requirements in Normal and Adverse Situations 77
3.1.5.4 PR.IR-04: Adequate Resource Capacity to Ensure Availability Is Maintained 79
Chapter Summary 80
Chapter Quiz 80
Bibliography 80
4 NIST Function Detect 81
4.1 DETECT: Possible Cybersecurity Attacks and Compromises Are Found and Analyzed 82
4.1.1 Continuous Monitoring (DE.CM): Assets Are Monitored to Find Anomalies, Indicators of Compromise, and Other Potentially Adverse Events 83
4.1.1.1 DE.CM-01: Networks and Network Services Are Monitored to Find Potentially Adverse Events 83
4.1.1.2 DE.CM-02: The Physical Environment Is Monitored to Find Potentially Adverse Events 84
4.1.1.3 DE.CM-03: Personnel Activity and Technology Usage Are Monitored to Find Potentially Adverse Events 85
4.1.1.4 DE.CM-06: External Service Provider Activities and Services Are Monitored to Find Potentially Adverse Events (Note: DE.CM-04: [Withdrawn: Incorporated into DE.CM-01, DE.CM-09] and DE.CM-05: [Withdrawn: Incorporated into DE.CM-01, De.cm-09]) 86
4.1.1.5 DE.CM-09: Computing Hardware and Software, Runtime Environments, and Their Data Are Monitored to Find Potentially Adverse Events (Note: DE.CM-07: [Withdrawn: Incorporated into DE.CM-01, DE.CM-03, DE.CM-06, DE.CM-09], DE.CM-08: [Withdrawn: Incorporated into ID.RA-01]) 87
4.1.2 Adverse Event Analysis (DE.AE): Anomalies, Indicators of Compromise, and Other Potentially Adverse Events Are Analyzed to Characterize the Events and Detect Cybersecurity Incidents 89
4.1.2.1 DE.AE-02: Potentially Adverse Events Are Analyzed to Understand Associated Activities Better (Note: DE.AE-01: [Withdrawn: Incorporated into ID.AM-03]) 89
4.1.2.2 DE.AE-03: Information Is Correlated from Multiple Sources 90
4.1.2.3 DE.AE-04: The Estimated Impact and Scope of Adverse Events Are Understood 91
4.1.2.4 DE.AE-06: Information on Adverse Events Is Provided to Authorized Staff and Tools (Note: DE.AE-05: [Withdrawn: Moved to DE.AE-08]) 92
4.1.2.5 DE.AE-07: Cyber Threat Intelligence and Other Contextual Information Are Integrated into the Analysis 93
4.1.2.6 DE.AE-08: Incidents Are Declared When Adverse Events Meet the Defined Incident Criteria 94
Chapter Summary 95
Chapter Quiz 96
Bibliography 96
5 NIST Function Respond 99
5.1 RESPOND (RS): Actions Regarding a Detected Cybersecurity Incident Are Taken 100
5.1.1 Incident Management (RS.MA): Responses to Detected Cybersecurity Incidents Are Managed 101
5.1.1.1 RS.MA-01: The Incident Response Plan Is Executed in Coordination with Relevant Third Parties Once an Incident Is Declared 101
5.1.1.2 RS.MA-02: Incident Reports Are Triaged and Validated 103
5.1.1.3 RS.MA-03: Incidents Are Categorized and Prioritized 104
5.1.1.4 RS.MA-04: Incidents Are Escalated or Elevated as Needed 104
5.1.1.5 RS.MA-05: The Criteria for Initiating Incident Recovery Are Applied 105
5.1.2 Incident Analysis (RS.AN): Investigations Are Conducted to Ensure Adequate Response and Support Forensics and Recovery Activities 106
5.1.2.1 RS.AN-03: Analysis Is Performed to Establish What Has Taken Place During an Incident and the Root Cause of the Incident (Note: RS.AN-01: [Withdrawn: Incorporated into RS.MA-02] and RS.AN-02: [Withdrawn: Incorporated into RS.MA-02, Rs.ma-03, Rs.ma-04]) 107
5.1.2.2 RS.AN-06: Actions Performed During an Investigation Are Recorded, and the Records' Integrity and Provenance Are Preserved (Note: RS.AN-04: [Withdrawn: Moved to RS.MA-03] and RS.AN-05: [Withdrawn: Moved to Id.ra-08]) 108
5.1.2.3 RS.AN-07: Incident Data and Metadata Are Collected, and Their Integrity and Provenance Are Preserved 108
5.1.2.4 RS.AN-08: An Incident's Magnitude Is Estimated and Validated 109
5.1.3 Incident Response Reporting and Communication (RS.CO): Response Activities Are Coordinated with Internal and External Stakeholders as Required by Laws, Regulations, or Policies 110
5.1.3.1 RS.CO-02: Internal and External Stakeholders Are Notified of Incidents (Note: RS.CO-01: [Withdrawn: Incorporated into PR.AT-01]) 111
5.1.3.2 RS.CO-03: Information Is Shared with Designated Internal and External Stakeholders (Note RS.CO-04: [Withdrawn: Incorporated into RS.MA-01, RS.MA-04] and RS.CO-05: [Withdrawn: Incorporated into RS.CO-03]) 112
5.1.4 Incident Mitigation (RS.MI): Activities Are Performed to Prevent the Expansion of an Event and Mitigate Its Effects 113
5.1.4.1 RS.MI-01: Incidents Are Contained 113
5.1.4.2 RS.MI-02: Incidents Are Eradicated 114
Chapter Summary 116
Chapter Quiz 116
Bibliography 116
6 NIST Function Recover 117
6.1 RECOVER (RC): Assets and Operations Affected by a Cybersecurity Incident Are Restored 118
6.1.1 Incident Recovery Plan Execution (RC.RP): Restoration Activities Are Performed to Ensure Operational Availability of Systems and Services Affected by Cybersecurity Incidents 119
6.1.1.1 RC.RP-01: The Recovery Portion of the Incident Response Plan Is Executed Once Initiated from the Incident Response Process 119
6.1.1.2 RC.RP-02: Recovery Actions Are Selected, Scoped, Prioritized, and Performed 120
6.1.1.3 RC.RP-03: The Integrity of Backups and Other Restoration Assets Is Verified Before Using Them for Restoration 121
6.1.1.4 RC.RP-04: Critical Mission Functions and Cybersecurity Risk Management Are Considered to Establish Post-incident Operational Norms 122
6.1.1.5 RC.RP-05: The Integrity of Restored Assets Is Verified, Systems and Services Are Restored, and Normal Operating Status Is Confirmed 123
6.1.1.6 RC.RP-06: The End of Incident Recovery Is Declared Based on Criteria, and Incident-related Documentation Is Completed 124
6.1.2 Incident Recovery Communication (RC.CO): Restoration Activities Are Coordinated with Internal and External Parties 124
6.1.2.1 RC.CO-03: Recovery Activities and Progress in Restoring Operational Capabilities Are Communicated to Designated Internal and External Stakeholders (Note: RC.CO-01: [Withdrawn: Incorporated into RC.CO-04], RC.CO-02: [Withdrawn: Incorporated into Rc.co-04]) 125
6.1.2.2 RC.CO-04: Public Updates on Incident Recovery Are Shared Using Approved Methods and Messaging 126
Chapter Summary 127
Chapter Quiz 127
Bibliography 128
7 NIST Function Govern 129
7.1 GOVERN (GV): The Organization's Cybersecurity Risk Management Strategy, Expectations, and Policy Are Established, Communicated, and Monitored 130
7.1.1 Organizational Context (GV.OC): The Circumstances-Mission, Stakeholder Expectations, Dependencies, and Legal, Regulatory, and Contractual Requirements- Surrounding the Organization's Cybersecurity Risk Management Decisions Are Understood 130
7.1.1.1 GV.OC-01: The Organizational Mission Is Understood and Informs Cybersecurity Risk Management 131
7.1.1.2 GV.OC-02: Internal and External Stakeholders Are Understood, and Their Needs and Expectations Regarding Cybersecurity Risk Management Are Understood and Considered 132
7.1.1.3 GV.OC-03: Legal, Regulatory, and Contractual Requirements Regarding Cybersecurity-Including Privacy and Civil Liberties Obligations-Are Understood and Managed 133
7.1.1.4 GV.OC-04: Critical Objectives, Capabilities, and Services that External Stakeholders Depend on or Expect from the Organization Are Understood and Communicated 134
7.1.1.5 GV.OC-05: Outcomes, Capabilities, and Services That the Organization Depends on Are Understood and Communicated 136
7.1.2 Risk Management Strategy (GV.RM): The Organization's Priorities, Constraints, Risk Tolerance and Appetite Statements, and Assumptions Are Established, Communicated, and Used to Support Operational Risk Decisions 137
7.1.2.1 GV.RM-01: Risk Management Objectives Are Established and Agreed to by Organizational Stakeholders 137
7.1.2.2 GV.RM-02: Risk Appetite and Risk Tolerance Statements Are Established, Communicated, and Maintained 138
7.1.2.3 GV.RM-03: Cybersecurity Risk Management Activities and Outcomes Are Included in Enterprise Risk Management Processes 139
7.1.2.4 GV.RM-04: Strategic Direction That Describes Appropriate Risk Response Options Is Established and Communicated 140
7.1.2.5 GV.RM-05: Lines of Communication Across the Organization Are Established for Cybersecurity Risks, Including Risks from Suppliers and Other Third Parties 141
7.1.2.6 GV.RM-06: A Standardized Method for Calculating, Documenting, Categorizing, and Prioritizing Cybersecurity Risks Is Established and Communicated 142
7.1.2.7 GV.RM-07: Strategic Opportunities (i.e., Positive Risks) Are Characterized and Included in Organizational Cybersecurity Risk Discussions 143
7.1.3 Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity Roles, Responsibilities, and Authorities to Foster Accountability, Performance Assessment, and Continuous Improvement Are Established and Communicated 144
7.1.3.1 GV.RR-01: Organizational Leadership Is Responsible and Accountable for Cybersecurity Risk and Fosters a Culture That Is Risk-aware, Ethical, and Continually Improving 144
7.1.3.2 GV.RR-02: Roles, Responsibilities, and Authorities Related to Cybersecurity Risk Management Are Established, Communicated, Understood, and Enforced 145
7.1.3.3 GV.RR-03: Adequate Resources Are Allocated Commensurate with the Cybersecurity Risk Strategy, Roles, Responsibilities, and Policies 146
7.1.3.4 GV.RR-04: Cybersecurity Is Included in Human Resources Practices 147
7.1.4 Policy (GV.PO): Organizational Cybersecurity Policy Is Established, Communicated, and Enforced 148
7.1.4.1 GV.PO-01: Policy for Managing Cybersecurity Risks Is Established Based on Organizational Context, Cybersecurity Strategy, and Priorities, and Is Communicated and Enforced 149
7.1.4.2 GV.PO-02: Policy for Managing Cybersecurity Risks Is Reviewed, Updated, Communicated, and Enforced to Reflect Changes in Requirements, Threats, Technology, and Organizational Mission 150
7.1.5 Oversight (GV.OV): Results of Organization-wide Cybersecurity Risk Management Activities and Performance Are Used to Inform, Improve, and Adjust the Risk Management Strategy 152
7.1.5.1 GV.OV-01: Cybersecurity Risk Management Strategy Outcomes Are Reviewed to Inform and Adjust Strategy and Direction 152
7.1.5.2 GV.OV-02: The Cybersecurity Risk Management Strategy Is Reviewed and Adjusted to Ensure Coverage of Organizational Requirements and Risks 153
7.1.5.3 GV.OV-03: Organizational Cybersecurity Risk Management Performance Is Evaluated and Reviewed for Adjustments Needed 154
7.1.6 Cybersecurity Supply Chain Risk Management (GV.SC): Cyber Supply Chain Risk Management Processes Are Identified, Established, Managed, Monitored, and Improved by Organizational Stakeholders 155
7.1.6.1 GV.SC-01: A Cybersecurity Supply Chain Risk Management Program, Strategy, Objectives, Policies, and Processes Are Established and Agreed to by Organizational Stakeholders 156
7.1.6.2 GV.SC-02: Cybersecurity Roles and Responsibilities for Suppliers, Customers, and Partners Are Established, Communicated, and Coordinated Internally and Externally 157
7.1.6.3 GV.SC-03: Cybersecurity Supply Chain Risk Management Is Integrated into Cybersecurity and ERM, Risk Assessment, and Improvement Processes 159
7.1.6.4 GV.SC-04: Suppliers Are Known and Prioritized by Criticality 160
7.1.6.5 GV.SC-05: Requirements to Address Cybersecurity Risks in Supply Chains Are Established, Prioritized, and Integrated into Contracts and Other Types of Agreements with Suppliers and Other Relevant Third Parties 161
7.1.6.6 GV.SC-06: Planning and Due Diligence Are Performed to Reduce Risks Before Entering into Formal Supplier or Other Third-party Relationships 163
7.1.6.7 GV.SC-07: The Risks Posed by a Supplier, Their Products and Services, and Other Third Parties Are Understood, Recorded, Prioritized, Assessed, Responded to, and Monitored Over the Course of the Relationship 164
7.1.6.8 GV.SC-08: Relevant Suppliers and Other Third Parties Are Included in Incident Planning, Response, and Recovery Activities 166
7.1.6.9 GV.SC-09: Supply Chain Security Practices Are Integrated into Cybersecurity and ERM Programs, and Their Performance Is Monitored Throughout the Technology Product and Service Life Cycle 167
7.1.6.10 GV.SC-10: Cybersecurity Supply Chain Risk Management Plans Include Provisions for Activities that Occur After the Conclusion of a Partnership or Service Agreement 168
Chapter Summary 170
Chapter Quiz 170
Bibliography 170
Appendix-Quiz Answer Key 171
Index 175
Acknowledgements xix
1 Overview of Risk Management and the NIST Cybersecurity Framework 1
1.1 Brief Overview of Risk Management Principles 1
1.1.1 The Core Journey of Risk Management 2
1.1.1.1 Identify Risks 2
1.1.1.2 Analyze and Evaluate Risks 2
1.1.1.3 Control and Mitigate Risks 2
1.1.1.4 Monitor and Review Risks 2
1.1.2 Cultivating a Resilient Organization 3
1.2 Background on the NIST Cybersecurity Framework 3
1.2.1 Six Basic Functions 4
1.2.1.1 Identify (ID) 4
1.2.1.2 Protect (PR) 5
1.2.1.3 Detect (DE) 5
1.2.1.4 Respond (RS) 5
1.2.1.5 Recover (RC) 6
1.2.1.6 Govern (GV) 6
1.2.2 Overview of Additional CSF Core Elements 6
1.2.2.1 Categories 6
1.2.2.2 Subcategories 6
1.2.2.3 Implementation Examples 7
1.2.2.4 Informative References 7
1.2.3 Other Vital Elements of the CSF 8
1.2.3.1 Framework Profiles 8
1.2.3.2 Implementation Tiers 8
1.2.4 How the NIST Framework Jives with the Parkerian Hexad 9
2 NIST Function Identify 11
2.1 IDENTIFY (ID): The Organization's Current Cybersecurity Risks Are Understood 12
2.1.1 Asset Management (ID.AM): Assets (e.g., Data, Hardware, Software, Systems, Facilities, Services, People) That Enable the Organization to Achieve Business Purposes Are Identified and Managed Consistently with Their Relative Importance to Organizational Objectives and the Organization's Risk Strategy 12
2.1.1.1 ID.AM-01: Inventories of Hardware Managed by the Organization Are Maintained 13
2.1.1.2 ID.AM-02: Inventories of Software, Services, and Systems Managed by the Organization Are Maintained 14
2.1.1.3 ID.AM-03: Representations of the Organization's Authorized Network Communication and Internal and External Network Data Flows Are Maintained 15
2.1.1.4 ID.AM-04: Inventories of Services Provided by Suppliers Are Maintained 16
2.1.1.5 ID.AM-05: Assets Are Prioritized Based on Classification, Criticality, Resources, and Impact on the Mission 17
2.1.1.6 ID.AM-07: Inventories of Data and Corresponding Metadata for Designated Data Types Are Maintained (Note ID.AM-06 Is Now Incorporated into GV.RR-02, GV.SC-02) 18
2.1.1.7 ID.AM-08: Systems, Hardware, Software, Services, and Data Are Managed Throughout Their Life Cycles 19
2.1.2 Risk Assessment (ID.RA): The Cybersecurity Risk to the Organization, Assets, and Individuals Is Understood by the Organization 21
2.1.2.1 ID.RA-01: Vulnerabilities in Assets Are Identified, Validated, and Recorded 22
2.1.2.2 ID.RA-02: Cyber Threat Intelligence Is Received from Information-sharing Forums and Sources 23
2.1.2.3 ID.RA-03: Internal and External Threats to the Organization Are Identified and Recorded 24
2.1.2.4 ID.RA-04: Potential Impacts and Likelihoods of Threats Exploiting Vulnerabilities Are Identified and Recorded 25
2.1.2.5 ID.RA-05: Threats, Vulnerabilities, Likelihoods, and Impacts Are Used to Understand Inherent Risk and Inform Risk Response Prioritization 26
2.1.2.6 ID.RA-06: Risk Responses Are Chosen, Prioritized, Planned, Tracked, and Communicated 27
2.1.2.7 ID.RA-07: Changes and Exceptions Are Managed, Assessed for Risk Impact, Recorded, and Tracked 29
2.1.2.8 ID.RA-08: Processes for Receiving, Analyzing, and Responding to Vulnerability Disclosures Are Established 30
2.1.2.9 ID.RA-09: The Authenticity and Integrity of Hardware and Software Are Assessed Before Acquisition and Use 31
2.1.2.10 ID.RA-10: Critical Suppliers Are Assessed Before Acquisition 32
2.1.3 Improvement (ID.IM): Improvements to Organizational Cybersecurity Risk Management Processes, Procedures, and Activities Are Identified Across All CSF Functions 33
2.1.3.1 ID.IM-01: Improvements Are Identified from Evaluations 34
2.1.3.2 ID.IM-02: Improvements Are Identified from Security Tests and Exercises, Including Those Done in Coordination with Suppliers and Relevant Third Parties 36
2.1.3.3 ID.IM-03: Improvements Are Identified from the Execution of Operational Processes, Procedures, and Activities 38
2.1.3.4 ID.IM-04: Incident Response Plans and Other Cybersecurity Plans That Affect Operations Are Established, Communicated, Maintained, and Improved 40
Chapter Summary 41
Chapter Quiz 41
Bibliography 42
3 NIST Function Protect 43
3.1 Protect: Safeguards to Manage the Organization's Cybersecurity Risks Are Used 44
3.1.1 Identity Management, Authentication, and Access Control (PR.AA)-Access to Physical and Logical Assets Is Limited to Authorized Users, Services, and Hardware and Managed Commensurate with the Assessed Risk of Unauthorized Access 44
3.1.1.1 PR.AA-01: Identities and Credentials for Authorized Users, Services, and Hardware Are Managed 45
3.1.1.2 PR.AA-02: Identities Are Proofed and Bound to Credentials Based on the Context of Interactions 46
3.1.1.3 PR.AA-03: Users, Services, and Hardware Are Authenticated 47
3.1.1.4 PR.AA-04: Identity Assertions Are Protected, Conveyed, and Verified 49
3.1.1.5 PR.AA-05: Access Permissions, Entitlements, and Authorizations Are Defined in a Policy, Managed, Enforced, and Reviewed, and Incorporate the Principles of Least Privilege and Separation of Duties 50
3.1.1.6 PR.AA-06: Physical Access to Assets Is Managed, Monitored, and Enforced Commensurate with Risk 52
3.1.2 Awareness and Training (PR.AT): The Organization's Personnel Are Provided with Cybersecurity Awareness and Training So That They Can Perform Their Cybersecurity-related Tasks 54
3.1.2.1 PR.AT-01: Personnel Are Provided with Awareness and Training So That They Possess the Knowledge and Skills to Perform General Tasks with Cybersecurity Risks in Mind 54
3.1.2.2 PR.AT-02: Individuals in Specialized Roles Are Provided with Awareness and Training So That They Possess the Knowledge and Skills to Perform Relevant Tasks with Cybersecurity Risks in Mind 56
3.1.3 Data Security (PR.DS): Data Are Managed Consistently with the Organization's Risk Strategy to Protect the Confidentiality, Integrity, and Availability of Information 57
3.1.3.1 PR.DS-01: The Confidentiality, Integrity, and Availability of Data-at-rest Are Protected 58
3.1.3.2 PR.DS-02: The Confidentiality, Integrity, and Availability of Data-in-transit Are Protected 60
3.1.3.3 PR.DS-10: The Confidentiality, Integrity, and Availability of Data-in-use Are Protected. (PR.DS-03: [Withdrawn: Incorporated into ID.AM-08, PR.PS-03], PR.DS-04: [Withdrawn: Moved to PR.IR-04], PR.DS-05: [Withdrawn: Incorporated into PR.DS-01, PR.DS-02, PR.DS-10], PR.DS-06: [Withdrawn: Incorporated into PR.DS-01, DE.CM-09], PR.DS-07: [Withdrawn: Incorporated into PR.IR-01], PR.DS-08: [Withdrawn: Incorporated into ID.RA-09, DE.CM-09]) 62
3.1.3.4 PR.DS-11: Backups of Data Are Created, Protected, Maintained, and Tested 63
3.1.4 Platform Security (PR.PS): The Hardware, Software (e.g., Firmware, Operating Systems, Applications), and Services of Physical and Virtual Platforms Are Managed Consistent with the Organization's Risk Strategy to Protect Their Confidentiality, Integrity, and Availability 65
3.1.4.1 PR.PS-01: Configuration Management Practices Are Established and Applied 65
3.1.4.2 PR.PS-02: Software Is Maintained, Replaced, and Removed Commensurate with Risk 67
3.1.4.3 PR.PS-03: Hardware Is Maintained, Replaced, and Removed Commensurate with Risk 68
3.1.4.4 PR.PS-04: Log Records Are Generated and Made Available for Continuous Monitoring 70
3.1.4.5 PR.PS-05: Installation and Execution of Unauthorized Software Are Prevented 71
3.1.4.6 PR.PS-06: Secure Software Development Practices Are Integrated, and Their Performance Is Monitored Throughout the Software Development Life Cycle 72
3.1.5 Technology Infrastructure Resilience (PR.IR): Security Architectures Are Managed with the Organization's Risk Strategy to Protect Asset Confidentiality, Integrity, and Availability, and Organizational Resilience 74
3.1.5.1 PR.IR-01: Networks and Environments Are Protected from Unauthorized Logical Access and Usage 75
3.1.5.2 PR.IR-02: The Organization's Technology Assets Are Protected from Environmental Threats 76
3.1.5.3 PR.IR-03: Mechanisms Are Implemented to Achieve Resilience Requirements in Normal and Adverse Situations 77
3.1.5.4 PR.IR-04: Adequate Resource Capacity to Ensure Availability Is Maintained 79
Chapter Summary 80
Chapter Quiz 80
Bibliography 80
4 NIST Function Detect 81
4.1 DETECT: Possible Cybersecurity Attacks and Compromises Are Found and Analyzed 82
4.1.1 Continuous Monitoring (DE.CM): Assets Are Monitored to Find Anomalies, Indicators of Compromise, and Other Potentially Adverse Events 83
4.1.1.1 DE.CM-01: Networks and Network Services Are Monitored to Find Potentially Adverse Events 83
4.1.1.2 DE.CM-02: The Physical Environment Is Monitored to Find Potentially Adverse Events 84
4.1.1.3 DE.CM-03: Personnel Activity and Technology Usage Are Monitored to Find Potentially Adverse Events 85
4.1.1.4 DE.CM-06: External Service Provider Activities and Services Are Monitored to Find Potentially Adverse Events (Note: DE.CM-04: [Withdrawn: Incorporated into DE.CM-01, DE.CM-09] and DE.CM-05: [Withdrawn: Incorporated into DE.CM-01, De.cm-09]) 86
4.1.1.5 DE.CM-09: Computing Hardware and Software, Runtime Environments, and Their Data Are Monitored to Find Potentially Adverse Events (Note: DE.CM-07: [Withdrawn: Incorporated into DE.CM-01, DE.CM-03, DE.CM-06, DE.CM-09], DE.CM-08: [Withdrawn: Incorporated into ID.RA-01]) 87
4.1.2 Adverse Event Analysis (DE.AE): Anomalies, Indicators of Compromise, and Other Potentially Adverse Events Are Analyzed to Characterize the Events and Detect Cybersecurity Incidents 89
4.1.2.1 DE.AE-02: Potentially Adverse Events Are Analyzed to Understand Associated Activities Better (Note: DE.AE-01: [Withdrawn: Incorporated into ID.AM-03]) 89
4.1.2.2 DE.AE-03: Information Is Correlated from Multiple Sources 90
4.1.2.3 DE.AE-04: The Estimated Impact and Scope of Adverse Events Are Understood 91
4.1.2.4 DE.AE-06: Information on Adverse Events Is Provided to Authorized Staff and Tools (Note: DE.AE-05: [Withdrawn: Moved to DE.AE-08]) 92
4.1.2.5 DE.AE-07: Cyber Threat Intelligence and Other Contextual Information Are Integrated into the Analysis 93
4.1.2.6 DE.AE-08: Incidents Are Declared When Adverse Events Meet the Defined Incident Criteria 94
Chapter Summary 95
Chapter Quiz 96
Bibliography 96
5 NIST Function Respond 99
5.1 RESPOND (RS): Actions Regarding a Detected Cybersecurity Incident Are Taken 100
5.1.1 Incident Management (RS.MA): Responses to Detected Cybersecurity Incidents Are Managed 101
5.1.1.1 RS.MA-01: The Incident Response Plan Is Executed in Coordination with Relevant Third Parties Once an Incident Is Declared 101
5.1.1.2 RS.MA-02: Incident Reports Are Triaged and Validated 103
5.1.1.3 RS.MA-03: Incidents Are Categorized and Prioritized 104
5.1.1.4 RS.MA-04: Incidents Are Escalated or Elevated as Needed 104
5.1.1.5 RS.MA-05: The Criteria for Initiating Incident Recovery Are Applied 105
5.1.2 Incident Analysis (RS.AN): Investigations Are Conducted to Ensure Adequate Response and Support Forensics and Recovery Activities 106
5.1.2.1 RS.AN-03: Analysis Is Performed to Establish What Has Taken Place During an Incident and the Root Cause of the Incident (Note: RS.AN-01: [Withdrawn: Incorporated into RS.MA-02] and RS.AN-02: [Withdrawn: Incorporated into RS.MA-02, Rs.ma-03, Rs.ma-04]) 107
5.1.2.2 RS.AN-06: Actions Performed During an Investigation Are Recorded, and the Records' Integrity and Provenance Are Preserved (Note: RS.AN-04: [Withdrawn: Moved to RS.MA-03] and RS.AN-05: [Withdrawn: Moved to Id.ra-08]) 108
5.1.2.3 RS.AN-07: Incident Data and Metadata Are Collected, and Their Integrity and Provenance Are Preserved 108
5.1.2.4 RS.AN-08: An Incident's Magnitude Is Estimated and Validated 109
5.1.3 Incident Response Reporting and Communication (RS.CO): Response Activities Are Coordinated with Internal and External Stakeholders as Required by Laws, Regulations, or Policies 110
5.1.3.1 RS.CO-02: Internal and External Stakeholders Are Notified of Incidents (Note: RS.CO-01: [Withdrawn: Incorporated into PR.AT-01]) 111
5.1.3.2 RS.CO-03: Information Is Shared with Designated Internal and External Stakeholders (Note RS.CO-04: [Withdrawn: Incorporated into RS.MA-01, RS.MA-04] and RS.CO-05: [Withdrawn: Incorporated into RS.CO-03]) 112
5.1.4 Incident Mitigation (RS.MI): Activities Are Performed to Prevent the Expansion of an Event and Mitigate Its Effects 113
5.1.4.1 RS.MI-01: Incidents Are Contained 113
5.1.4.2 RS.MI-02: Incidents Are Eradicated 114
Chapter Summary 116
Chapter Quiz 116
Bibliography 116
6 NIST Function Recover 117
6.1 RECOVER (RC): Assets and Operations Affected by a Cybersecurity Incident Are Restored 118
6.1.1 Incident Recovery Plan Execution (RC.RP): Restoration Activities Are Performed to Ensure Operational Availability of Systems and Services Affected by Cybersecurity Incidents 119
6.1.1.1 RC.RP-01: The Recovery Portion of the Incident Response Plan Is Executed Once Initiated from the Incident Response Process 119
6.1.1.2 RC.RP-02: Recovery Actions Are Selected, Scoped, Prioritized, and Performed 120
6.1.1.3 RC.RP-03: The Integrity of Backups and Other Restoration Assets Is Verified Before Using Them for Restoration 121
6.1.1.4 RC.RP-04: Critical Mission Functions and Cybersecurity Risk Management Are Considered to Establish Post-incident Operational Norms 122
6.1.1.5 RC.RP-05: The Integrity of Restored Assets Is Verified, Systems and Services Are Restored, and Normal Operating Status Is Confirmed 123
6.1.1.6 RC.RP-06: The End of Incident Recovery Is Declared Based on Criteria, and Incident-related Documentation Is Completed 124
6.1.2 Incident Recovery Communication (RC.CO): Restoration Activities Are Coordinated with Internal and External Parties 124
6.1.2.1 RC.CO-03: Recovery Activities and Progress in Restoring Operational Capabilities Are Communicated to Designated Internal and External Stakeholders (Note: RC.CO-01: [Withdrawn: Incorporated into RC.CO-04], RC.CO-02: [Withdrawn: Incorporated into Rc.co-04]) 125
6.1.2.2 RC.CO-04: Public Updates on Incident Recovery Are Shared Using Approved Methods and Messaging 126
Chapter Summary 127
Chapter Quiz 127
Bibliography 128
7 NIST Function Govern 129
7.1 GOVERN (GV): The Organization's Cybersecurity Risk Management Strategy, Expectations, and Policy Are Established, Communicated, and Monitored 130
7.1.1 Organizational Context (GV.OC): The Circumstances-Mission, Stakeholder Expectations, Dependencies, and Legal, Regulatory, and Contractual Requirements- Surrounding the Organization's Cybersecurity Risk Management Decisions Are Understood 130
7.1.1.1 GV.OC-01: The Organizational Mission Is Understood and Informs Cybersecurity Risk Management 131
7.1.1.2 GV.OC-02: Internal and External Stakeholders Are Understood, and Their Needs and Expectations Regarding Cybersecurity Risk Management Are Understood and Considered 132
7.1.1.3 GV.OC-03: Legal, Regulatory, and Contractual Requirements Regarding Cybersecurity-Including Privacy and Civil Liberties Obligations-Are Understood and Managed 133
7.1.1.4 GV.OC-04: Critical Objectives, Capabilities, and Services that External Stakeholders Depend on or Expect from the Organization Are Understood and Communicated 134
7.1.1.5 GV.OC-05: Outcomes, Capabilities, and Services That the Organization Depends on Are Understood and Communicated 136
7.1.2 Risk Management Strategy (GV.RM): The Organization's Priorities, Constraints, Risk Tolerance and Appetite Statements, and Assumptions Are Established, Communicated, and Used to Support Operational Risk Decisions 137
7.1.2.1 GV.RM-01: Risk Management Objectives Are Established and Agreed to by Organizational Stakeholders 137
7.1.2.2 GV.RM-02: Risk Appetite and Risk Tolerance Statements Are Established, Communicated, and Maintained 138
7.1.2.3 GV.RM-03: Cybersecurity Risk Management Activities and Outcomes Are Included in Enterprise Risk Management Processes 139
7.1.2.4 GV.RM-04: Strategic Direction That Describes Appropriate Risk Response Options Is Established and Communicated 140
7.1.2.5 GV.RM-05: Lines of Communication Across the Organization Are Established for Cybersecurity Risks, Including Risks from Suppliers and Other Third Parties 141
7.1.2.6 GV.RM-06: A Standardized Method for Calculating, Documenting, Categorizing, and Prioritizing Cybersecurity Risks Is Established and Communicated 142
7.1.2.7 GV.RM-07: Strategic Opportunities (i.e., Positive Risks) Are Characterized and Included in Organizational Cybersecurity Risk Discussions 143
7.1.3 Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity Roles, Responsibilities, and Authorities to Foster Accountability, Performance Assessment, and Continuous Improvement Are Established and Communicated 144
7.1.3.1 GV.RR-01: Organizational Leadership Is Responsible and Accountable for Cybersecurity Risk and Fosters a Culture That Is Risk-aware, Ethical, and Continually Improving 144
7.1.3.2 GV.RR-02: Roles, Responsibilities, and Authorities Related to Cybersecurity Risk Management Are Established, Communicated, Understood, and Enforced 145
7.1.3.3 GV.RR-03: Adequate Resources Are Allocated Commensurate with the Cybersecurity Risk Strategy, Roles, Responsibilities, and Policies 146
7.1.3.4 GV.RR-04: Cybersecurity Is Included in Human Resources Practices 147
7.1.4 Policy (GV.PO): Organizational Cybersecurity Policy Is Established, Communicated, and Enforced 148
7.1.4.1 GV.PO-01: Policy for Managing Cybersecurity Risks Is Established Based on Organizational Context, Cybersecurity Strategy, and Priorities, and Is Communicated and Enforced 149
7.1.4.2 GV.PO-02: Policy for Managing Cybersecurity Risks Is Reviewed, Updated, Communicated, and Enforced to Reflect Changes in Requirements, Threats, Technology, and Organizational Mission 150
7.1.5 Oversight (GV.OV): Results of Organization-wide Cybersecurity Risk Management Activities and Performance Are Used to Inform, Improve, and Adjust the Risk Management Strategy 152
7.1.5.1 GV.OV-01: Cybersecurity Risk Management Strategy Outcomes Are Reviewed to Inform and Adjust Strategy and Direction 152
7.1.5.2 GV.OV-02: The Cybersecurity Risk Management Strategy Is Reviewed and Adjusted to Ensure Coverage of Organizational Requirements and Risks 153
7.1.5.3 GV.OV-03: Organizational Cybersecurity Risk Management Performance Is Evaluated and Reviewed for Adjustments Needed 154
7.1.6 Cybersecurity Supply Chain Risk Management (GV.SC): Cyber Supply Chain Risk Management Processes Are Identified, Established, Managed, Monitored, and Improved by Organizational Stakeholders 155
7.1.6.1 GV.SC-01: A Cybersecurity Supply Chain Risk Management Program, Strategy, Objectives, Policies, and Processes Are Established and Agreed to by Organizational Stakeholders 156
7.1.6.2 GV.SC-02: Cybersecurity Roles and Responsibilities for Suppliers, Customers, and Partners Are Established, Communicated, and Coordinated Internally and Externally 157
7.1.6.3 GV.SC-03: Cybersecurity Supply Chain Risk Management Is Integrated into Cybersecurity and ERM, Risk Assessment, and Improvement Processes 159
7.1.6.4 GV.SC-04: Suppliers Are Known and Prioritized by Criticality 160
7.1.6.5 GV.SC-05: Requirements to Address Cybersecurity Risks in Supply Chains Are Established, Prioritized, and Integrated into Contracts and Other Types of Agreements with Suppliers and Other Relevant Third Parties 161
7.1.6.6 GV.SC-06: Planning and Due Diligence Are Performed to Reduce Risks Before Entering into Formal Supplier or Other Third-party Relationships 163
7.1.6.7 GV.SC-07: The Risks Posed by a Supplier, Their Products and Services, and Other Third Parties Are Understood, Recorded, Prioritized, Assessed, Responded to, and Monitored Over the Course of the Relationship 164
7.1.6.8 GV.SC-08: Relevant Suppliers and Other Third Parties Are Included in Incident Planning, Response, and Recovery Activities 166
7.1.6.9 GV.SC-09: Supply Chain Security Practices Are Integrated into Cybersecurity and ERM Programs, and Their Performance Is Monitored Throughout the Technology Product and Service Life Cycle 167
7.1.6.10 GV.SC-10: Cybersecurity Supply Chain Risk Management Plans Include Provisions for Activities that Occur After the Conclusion of a Partnership or Service Agreement 168
Chapter Summary 170
Chapter Quiz 170
Bibliography 170
Appendix-Quiz Answer Key 171
Index 175