| wdt_ID | RID | Level | Task ID | Category | Task | Recommendation | Reference |
|---|---|---|---|---|---|---|---|
| 1 | 1 | Organization Level | TASK P-1 | Prepare Tasks | Risk Management Roles | Identify and assign individuals to specific roles associated with security and privacy risk management. | NIST SP 800-37 Revision 2 |
| 2 | 2 | Organization Level | TASK P-2 | Prepare Tasks | Risk Management Strategy | Establish a risk management strategy for the organization that includes a determination of risk tolerance. | NIST SP 800-37 Revision 2 |
| 3 | 3 | Organization Level | TASK P-3 | Prepare Tasks | Risk Assessment—Organization | Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. | NIST SP 800-37 Revision 2 |
| 4 | 4 | Organization Level | TASK P-4 | Prepare Tasks | Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles (Optional) | Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. | NIST SP 800-37 Revision 2 |
| 5 | 5 | Organization Level | TASK P-5 | Prepare Tasks | Common Control Identification | Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems. | NIST SP 800-37 Revision 2 |
| 6 | 6 | Organization Level | TASK P-6 | Prepare Tasks | Impact-Level Prioritization (Optional) | Prioritize organizational systems with the same impact level. | NIST SP 800-37 Revision 2 |
| 7 | 7 | Organization Level | TASK P-7 | Prepare Tasks | Continuous Monitoring Strategy—Organization | Develop and implement an organization-wide strategy for continuously monitoring control effectiveness. | NIST SP 800-37 Revision 2 |
| 8 | 8 | System Level | TASK P-8 | Prepare Tasks | Mission or Business Focus | Identify the missions, business functions, and mission/business processes that the system is intended to support. | NIST SP 800-37 Revision 2 |
| 9 | 9 | System Level | TASK P-9 | Prepare Tasks | System Stakeholders | Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. | NIST SP 800-37 Revision 2 |
| 10 | 10 | System Level | TASK P-10 | Prepare Tasks | Asset Identification | Identify assets that require protection. | NIST SP 800-37 Revision 2 |
| 11 | 11 | System Level | TASK P-11 | Prepare Tasks | Authorization Boundary | Determine the authorization boundary of the system. | NIST SP 800-37 Revision 2 |
| 12 | 12 | System Level | TASK P-12 | Prepare Tasks | Information Types | Identify the types of information to be processed, stored, and transmitted by the system. | NIST SP 800-37 Revision 2 |
| 13 | 13 | System Level | TASK P-13 | Prepare Tasks | Information Life Cycle | Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system. | NIST SP 800-37 Revision 2 |
| 14 | 14 | System Level | TASK P-14 | Prepare Tasks | Risk Assessment—System | Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. | NIST SP 800-37 Revision 2 |
| 15 | 15 | System Level | TASK P-15 | Prepare Tasks | Requirements Definition | Define the security and privacy requirements for the system and the environment of operation. | NIST SP 800-37 Revision 2 |
| 16 | 16 | System Level | TASK P-16 | Prepare Tasks | Enterprise Architecture | Determine the placement of the system within the enterprise architecture. | NIST SP 800-37 Revision 2 |
| 17 | 17 | System Level | TASK P-17 | Prepare Tasks | Requirements Allocation | Allocate security and privacy requirements to the system and to the environment of operation. | NIST SP 800-37 Revision 2 |
| 18 | 18 | System Level | TASK P-18 | Prepare Tasks | System Registration | Register the system with organizational program or management offices. | NIST SP 800-37 Revision 2 |
| 19 | 19 | System Level | TASK C-1 | Categorization Tasks | System Description | Document the characteristics of the system. System Owner | NIST SP 800-37 Revision 2 |
| 20 | 20 | System Level | TASK C-2 | Categorization Tasks | Security Categorization | Categorize the system and document the security categorization results. | NIST SP 800-37 Revision 2 |
| 21 | 21 | System Level | TASK C-3 | Categorization Tasks | Security Categorization Review and Approval | Review and approve the security categorization results and decision. | NIST SP 800-37 Revision 2 |
| 22 | 22 | System Level | TASK S-1 | Selection Tasks | Control Selection | Select the controls for the system and the environment of operation. | NIST SP 800-37 Revision 2 |
| 23 | 23 | System Level | TASK S-2 | Selection Tasks | Control Tailoring | Tailor the controls selected for the system and the environment of operation. | NIST SP 800-37 Revision 2 |
| 24 | 24 | System Level | TASK S-3 | Selection Tasks | Control Allocation | Allocate security and privacy controls to the system and to the environment of operation. | NIST SP 800-37 Revision 2 |
| 25 | 25 | System Level | TASK S-4 | Selection Tasks | Documentation of Planned Control Implementations | Document the controls for the system and environment of operation in security and privacy plans. | NIST SP 800-37 Revision 2 |
| 26 | 26 | System Level | TASK S-5 | Selection Tasks | Continuous Monitoring Strategy—System | Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy. | NIST SP 800-37 Revision 2 |
| 27 | 27 | System Level | TASK S-6 | Selection Tasks | Plan Review and Approval | Review and approve the security and privacy plans for the system and the environment of operation. | NIST SP 800-37 Revision 2 |
| 28 | 28 | System Level | TASK I-1 | Implementation Tasks | Control Implementation | Implement the controls in the security and privacy plans. | NIST SP 800-37 Revision 2 |
| 29 | 29 | System Level | TASK I-2 | Implementation Tasks | Update Control Implementation Information | Document changes to planned control implementations based on the “as-implemented” state of controls. | NIST SP 800-37 Revision 2 |
| 30 | 30 | System Level | TASK A-1 | Assessment Tasks | Assessor Selection | Select the appropriate assessor or assessment team for the type of control assessment to be conducted. | NIST SP 800-37 Revision 2 |
| 31 | 31 | System Level | TASK A-2 | Assessment Tasks | Assessment Plan | Develop, review, and approve plans to assess implemented controls. | NIST SP 800-37 Revision 2 |
| 32 | 32 | System Level | TASK A-3 | Assessment Tasks | Control Assessments | Assess the controls in accordance with the assessment procedures described in assessment plans. | NIST SP 800-37 Revision 2 |
| 33 | 33 | System Level | TASK A-4 | Assessment Tasks | Assessment Reports | Prepare the assessment reports documenting the findings and recommendations from the control assessments. | NIST SP 800-37 Revision 2 |
| 34 | 34 | System Level | TASK A-5 | Assessment Tasks | Remediation Actions | Conduct initial remediation actions on the controls and reassess remediated controls. | NIST SP 800-37 Revision 2 |
| 35 | 35 | System Level | TASK A-6 | Assessment Tasks | Plan of Action and Milestones | Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports. | NIST SP 800-37 Revision 2 |
| 36 | 36 | System Level | TASK R-1 | Authorization Tasks | Authorization Package | Assemble the authorization package and submit the package to the authorizing official for an authorization decision. | NIST SP 800-37 Revision 2 |
| 37 | 37 | System Level | TASK R-2 | Authorization Tasks | Risk Analysis and Determination | Analyze and determine the risk from the operation or use of the system or the provision of common controls. | NIST SP 800-37 Revision 2 |
| 38 | 38 | System Level | TASK R-3 | Authorization Tasks | Risk Response | Identify and implement a preferred course of action in response to the risk determined. | NIST SP 800-37 Revision 2 |
| 39 | 39 | System Level | TASK R-4 | Authorization Tasks | Authorization Decision | Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable. | NIST SP 800-37 Revision 2 |
| 40 | 40 | System Level | TASK R-5 | Authorization Tasks | Authorization Reporting | Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk. | NIST SP 800-37 Revision 2 |
| 41 | 41 | System Level | TASK M-1 | Monitoring Tasks | System and Environment Changes | Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. | NIST SP 800-37 Revision 2 |
| 42 | 42 | System Level | TASK M-2 | Monitoring Tasks | Ongoing Assessments | Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. | NIST SP 800-37 Revision 2 |
| 43 | 43 | System Level | TASK M-3 | Monitoring Tasks | Ongoing Risk Response | Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones. | NIST SP 800-37 Revision 2 |
| 44 | 44 | System Level | TASK M-4 | Monitoring Tasks | Authorization Package Updates | Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. | NIST SP 800-37 Revision 2 |
| 45 | 45 | System Level | TASK M-5 | Monitoring Tasks | Security and Privacy Reporting | Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance | NIST SP 800-37 Revision 2 |
| 46 | 46 | System Level | TASK M-6 | Monitoring Tasks | Ongoing Authorization | Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. | NIST SP 800-37 Revision 2 |
| 47 | 47 | System Level | TASK M-7 | Monitoring Tasks | System Disposal | Implement a system disposal strategy and execute required actions when a system is removed from operation. | NIST SP 800-37 Revision 2 |
| Level | Category |
Information Technology & Cybersecurity Training and Consulting