https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd We mentioned this on the call today. So I did the normal thing, a word search, and a few other comments. Transparency 0 mentions Transparent 0 mentions Consent 0 mentions Notice 0 mentions Authority 0 mentions Authorization 2 mentions Only one control Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorized users, services, and hardware, and is managed commensurate with the assessed risk of unauthorized access (formerly PR.AC) PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties (formerly PR.AC-01, PR.AC-03, PR.AC-04) (There needs to be a notice created from the assessed risk, what is assessed in this case would also be a gap, as it is information risk, and not, for example, a control impact assessment.) Also interestingly is that they do have a concentric view, all we need to do is change what is at the center. [image: image.png] Best, Sal
