Organizational communication and data flows are mapped
External information systems are catalogued
Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
The organization’s role in the supply chain is identified and communicated
The organization’s place in critical infrastructure and its industry sector is identified and communicated
Priorities for organizational mission, objectives, and activities are established and communicated
Dependencies and critical functions for delivery of critical services are established
Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
Organizational cybersecurity policy is established and communicated
Passcode