PRM-05: Cybersecurity & Data Protection Requirements Definition
Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).
Control Question: Does the organization identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC)?
General (39)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2 CC4.1 CC5.2 PI1.1-POF1 PI1.1-POF2 PI1.1-POF3 |
| BSI Standard 200-1 | 8.2 |
| CIS CSC 8.1 | 15.7 |
| CIS CSC 8.1 IG3 | 15.7 |
| COBIT 2019 | APO01.10 APO08.01 BAI02.01 |
| COSO 2017 | Principle 11 Principle 14 Principle 16 |
| CSA IoT SCF 2 | LGL-01 LGL-02 LGL-03 LGL-04 LGL-05 LGL-06 LGL-07 LGL-08 |
| ISO/SAE 21434 2021 | RC-05-10 RQ-06-01 RQ-06-02.a RQ-06-02.b RQ-06-02.c RQ-06-06 RQ-09-09 RQ-10-01.a RQ-10-01.b RQ-10-01.c RQ-10-02 |
| ISO 22301 2019 | 6.2.1 6.2.2 |
| ISO 27002 2022 | 5.8 5.9 8.26 |
| ISO 27017 2015 | 14.1.1 |
| ISO 27701 2025 | 6.1.1 |
| ISO 31010 2009 | 4.3.1 4.3.2 |
| ISO 42001 2023 | 4.1 4.2 A.4.2 A.6.2.2 |
| MITRE ATT&CK 10 | T1195.003, T1495, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1553, T1553.006, T1601, T1601.001, T1601.002 |
| NIST AI 100-1 (AI RMF) 1.0 | MAP 1.6 |
| NIST Privacy Framework 1.0 | CT.PO-P1 CT.DM-P9 CT.DM-P10 |
| NIST 800-53 R4 | SA-14 |
| NIST 800-53 R5 (source) | RA-9 |
| NIST 800-53B R5 (moderate) (source) | RA-9 |
| NIST 800-53B R5 (high) (source) | RA-9 |
| NIST 800-82 R3 MODERATE OT Overlay | RA-9 |
| NIST 800-82 R3 HIGH OT Overlay | RA-9 |
| NIST 800-160 | 3.4 3.4.3 3.4.4 3.4.5 3.4.6 |
| NIST 800-161 R1 | RA-9 |
| NIST 800-161 R1 Flow Down | RA-9 |
| NIST 800-161 R1 Level 1 | RA-9 |
| NIST 800-161 R1 Level 2 | RA-9 |
| NIST 800-161 R1 Level 3 | RA-9 |
| NIST 800-171 R3 (source) | 03.16.01 |
| NIST 800-218 | PO.1 PO.1.1 |
| PCI DSS 4.0.1 (source) | 1.1 |
| TISAX ISA 6 | 1.2.3 5.3.2 8.3.1 |
| UN R155 | 7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 7.3.4 |
| UN ECE WP.29 | 7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 7.3.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PRM-05 |
| SCF CORE ESP Level 2 Critical Infrastructure | PRM-05 |
| SCF CORE ESP Level 3 Advanced Threats | PRM-05 |
| SCF CORE AI Model Deployment | PRM-05 |
US (15)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-5.B.MIL2 THREAT-3.A.MIL2 RISK-5.B.MIL2 ACCESS-4.B.MIL2 SITUATION-4.B.MIL2 RESPONSE-5.B.MIL2 THIRD-PARTIES-3.B.MIL2 WORKFORCE-4.B.MIL2 ARCHITECTURE-5.B.MIL2 PROGRAM-3.B.MIL2 |
| US CERT RMM 1.2 | COMM:SG1.SP2 COMM:SG3.SP1 RRD:SG3.SP1 RTSE:SG2.SP1 RTSE:SG2.SP2 RTSE:SG3.SP1 RTSE:SG3.SP2 TM:SG1.SP1 |
| US FCA CRM | 609.935(e) |
| US FedRAMP R5 (source) | RA-9 |
| US FedRAMP R5 (moderate) (source) | RA-9 |
| US FedRAMP R5 (high) (source) | RA-9 |
| US FFIEC | D4.C.Co.B.1 D1.G.IT.B.2 D5.IR.Pl.B.5 D5.IR.Pl.E.3 |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(b)(2)(ii) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(b)(2)(ii) |
| US HIPAA HICP Small Practice | 5.S.B |
| US HIPAA HICP Medium Practice | 5.M.B |
| US HIPAA HICP Large Practice | 5.M.B |
| US NNPI (unclass) | 12.1 |
| US - CA CCPA 2025 | 7100(b) |
| US - CO Colorado Privacy Act | 6-1-1308(1)(c)(I) 6-1-1308(1)(c)(II) |
EMEA (12)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 14.3(b) |
| EMEA EU EBA GL/2019/04 | 3.5(51) 3.6.1(64) 3.6.1(65) 3.6.2(68) |
| EMEA EU DORA | 7(a) 7(b) 7(c) 7(d) |
| EMEA EU NIS2 | 21.3 |
| EMEA EU NIS2 Annex | 6.2.2(a) |
| EMEA Israel CDMO 1.0 | 17.5 17.6 |
| EMEA Qatar PDPPL | 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 |
| EMEA Saudi Arabia CSCC-1 2019 | 1-3-1-2 2-13-1 2-13-2 2-13-3-1 2-13-3-2 2-13-3-3 2-13-3-4 |
| EMEA Saudi Arabia ECC-1 2018 | 1-6-1 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-4-1 1-4-1-1 1-4-2 |
| EMEA Saudi Arabia SACS-002 | TPC-43 |
| EMEA Spain CCN-STIC 825 | 7.1.3 [OP.PL.3] |
APAC (7)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0720 ISM-1739 |
| APAC Japan ISMAP | 4.4.3 4.4.3.1 14.1.1 |
| APAC New Zealand HISF 2022 | HHSP11 HHSP28 HHSP31 HML31 HSUP27 |
| APAC New Zealand HISF Suppliers 2023 | HSUP27 |
| APAC New Zealand NZISM 3.6 | 12.1.30.C.01 12.1.30.C.02 12.1.30.C.03 12.1.32.C.01 12.1.32.C.02 12.1.32.C.03 |
| APAC Singapore MAS TRM 2021 | 5.1.1 5.1.2 5.1.3 5.1.4 5.3.3 5.5.1 5.5.2 5.6.1 5.6.2 5.6.3 |
| APAC Taiwan | 27 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 6.7 |
| Americas Canada OSFI B-13 | 1.2.1 2.3 2.4.1 2.4.2 2.4.3 2.8 |
| Americas Canada ITSP-10-171 | 03.16.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).
Level 1 — Performed Informally
Project & Resource Management (PRM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Program/project management is decentralized.
- IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
Level 2 — Planned & Tracked
Project & Resource Management (PRM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Program/project management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for Project Management (PM).
- The PM function facilitates the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
- The responsibility for enforcing cybersecurity and data protection control implementation is assigned to business / process owners and asset custodians.
Level 3 — Well Defined
Project & Resource Management (PRM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for program/project management practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise with regards to program/project management.
- The CISO, or similar function, leverages a capability maturity model to define and identify targeted capability maturity levels for each of the functions that make up the cybersecurity and data protection program.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for program/project management.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including program/project management.
- A Project Management Office (PMO), or project management function, enables the centralized-implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
- The PMO determines the identification and allocation of resources for cybersecurity and data protection requirements within business process planning for projects and other initiatives.
- Project Management (PM) is centrally-managed across the enterprise to implement cybersecurity and data protection controls as part of the project management lifecycle, with the responsibility for enforcing cybersecurity and data protection control implementation assigned to business / process owners and asset custodians.
- Subordinate staff and stakeholders are educated on the capability maturity expectations and those targets are used to task individual contributor work activities in an effort to achieve the targeted maturity levels.
Level 4 — Quantitatively Controlled
Project & Resource Management (PRM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).
Assessment Objectives
- PRM-05_A01 systems, system components or system services to be analyzed for criticality are defined.
- PRM-05_A02 decision points in the system development life cycle when a criticality analysis is to be performed are defined.
- PRM-05_A03 critical system components and functions are identified by performing a criticality analysis for systems, system components or system services at decision points in the system development life cycle.
Evidence Requirements
- E-PRM-03 Secure Development Lifecycle (SDLC)
-
Documented evidence of a secure development lifecycle that the organization utilizes for new initiatives or significant changes to existing initiatives to ensure cybersecurity & data privacy principles are identified and implemented by default.
Resource Management
Technology Recommendations
Micro/Small
- Defined technical requirements
- Defined business requirements
Small
- Defined technical requirements
- Defined business requirements
Medium
- Defined technical requirements
- Defined business requirements
- System Development Lifecycle (SDLC) governance / oversight
Large
- Defined technical requirements
- Defined business requirements
- System Development Lifecycle (SDLC) governance / oversight
Enterprise
- Defined technical requirements
- Defined business requirements
- System Development Lifecycle (SDLC) governance / oversight