| wdt_ID | AID | Category | Function | Traditional | Advanced | Optimal | Guidance |
|---|---|---|---|---|---|---|---|
| 1 | 1 | Identity | Authentication | The Organization authenticates identity using either passwords or multi-factor authentication (MFA). | The Organization authenticates identity using MFA. | The Organization continuously validates identity, not just when access is initially granted. | An identity refers to an attribute or set of attributes that uniquely describe an organization user or entity. Organizations should ensure and enforce that the right users and entities have the right access to the right resources at the right time. |
| 2 | 2 | Identity | Identity Stores | The Organization only uses on-premises identity providers. | The Organization federates some identity with cloud and on-premises systems. | The Organization has global identity awareness across cloud and on-premises environments. | An identity refers to an attribute or set of attributes that uniquely describe an organization user or entity. Organizations should ensure and enforce that the right users and entities have the right access to the right resources at the right time. |
| 3 | 3 | Identity | Risk Assessment | The Organization makes limited determinations for identity risk. | The Organization determines identity risk based on simple analytics and static rules. | The Organization analyzes user behavior in real time with machine learning algorithms to determine risk and deliver ongoing protection. | An identity refers to an attribute or set of attributes that uniquely describe an organization user or entity. Organizations should ensure and enforce that the right users and entities have the right access to the right resources at the right time. |
| 4 | 4 | Identity | Visibility and Analytics Capability | The Organization segments user activity visibility with basic and static attributes. | The Organization aggregates user activity visibility with basic attributes and then analyzes and reports for manual refinement. | The Organization centralizes user visibility with high fidelity attributes and user and entity behavior analytics (UEBA). | An identity refers to an attribute or set of attributes that uniquely describe an organization user or entity. Organizations should ensure and enforce that the right users and entities have the right access to the right resources at the right time. |
| 5 | 5 | Identity | Automation and Orchestration Capability | The Organization manually administers and orchestrates (replicates) identity and credentials. | The Organization uses basic automated orchestration to federate identity and permit administration across identity stores. | The Organization fully orchestrates the identity lifecycle Dynamic user profiling, dynamic identity and group membership, just-in-time and just-enough access controls are implemented. | An identity refers to an attribute or set of attributes that uniquely describe an organization user or entity. Organizations should ensure and enforce that the right users and entities have the right access to the right resources at the right time. |
| 6 | 6 | Identity | Governance Capability | The Organization manually audits identities and permissions after initial provisioning using static technical enforcement of credential policies (e.g., complexity, reuse, length, clipping, MFA, etc.). | The Organization uses policy-based automated access revocation. There are no shared accounts. | The Organization fully automates technical enforcement of policies. The Organization updates policies to reflect new orchestration options. | An identity refers to an attribute or set of attributes that uniquely describe an organization user or entity. Organizations should ensure and enforce that the right users and entities have the right access to the right resources at the right time. |
| 7 | 7 | Device | Compliance Monitoring | The Organization has limited visibility into device compliance. | The Organization employs compliance enforcement mechanisms for most devices. | The Organization constantly monitors and validates device security posture. | A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. A device may be organization-owned or bring-your-own-device (BYOD). Organizations should inventory devices, secure all organization devices, and prevent unauthorized devices from accessing resources. |
| 8 | 8 | Device | Data Access | The Organization’s access to data does not depend on visibility into the device that is being used to access the data. | The Organization’s access to data considers device posture on first-access. | The Organization’s access to data considers real-time risk analytics about devices. | A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. A device may be organization-owned or bring-your-own-device (BYOD). Organizations should inventory devices, secure all organization devices, and prevent unauthorized devices from accessing resources. |
| 9 | 9 | Device | Asset Management | The Organization has a simplified and manually-tracked device inventory. | The Organization uses automated methods to manage assets, identify vulnerabilities, and patch assets. | The Organization integrates asset and vulnerability management across all The Organization environments, including cloud and remote. | A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. A device may be organization-owned or bring-your-own-device (BYOD). Organizations should inventory devices, secure all organization devices, and prevent unauthorized devices from accessing resources. |
| 10 | 10 | Device | Visibility and Analytics Capability | The Organization’s device management relies upon manual inspections of labels and periodic network discovery and reporting. | The Organization reconciles device inventories against sanctioned lists with isolation of non-compliant components. | The Organization continuously runs device posture assessments (e.g., using endpoint detection and response (EDR) tools). | A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. A device may be organization-owned or bring-your-own-device (BYOD). Organizations should inventory devices, secure all organization devices, and prevent unauthorized devices from accessing resources. |
| 11 | 11 | Device | Automation and Orchestration Capability | The Organization manually provisions devices with static capacity allocations. | The Organization provisions devices using automated, repeatable methods with policy-driven capacity allocations and reactive scaling. | The Organization’s device capacity and deployment uses continuous integration and continuous deployment (CI/CD) principles with dynamic scaling. | A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. A device may be organization-owned or bring-your-own-device (BYOD). Organizations should inventory devices, secure all organization devices, and prevent unauthorized devices from accessing resources. |
| 12 | 12 | Device | Governance Capability | The Organization manually defines and enforces device acquisition channels and establishes and implements inventory frequency policy. Device retirement requires extensive sanitation to remove residual access and data. | The Organization devices natively support modern security functions in hardware. The Organization minimizes the quantity of legacy equipment that is unable to perform desired security functions. | The Organization devices permit data access and use without resident plain-text copies, reducing asset supply chain risks. | A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. A device may be organization-owned or bring-your-own-device (BYOD). Organizations should inventory devices, secure all organization devices, and prevent unauthorized devices from accessing resources. |
| 13 | 13 | Network/Environment | Network Segmentation | The Organization defines their network architecture using large perimeter/macro-segmentation. | The Organization defines more of their network architecture by ingress/egress micro-perimeters with some internal micro-segmentation. | The Organization network architecture consists of fully distributed ingress/egress micro-perimeters and deeper internal microsegmentation based around application workflows. | A network refers to an open communications medium, including the organization's internal networks, wireless networks, and the Internet, used to transport messages. Organizations should segment and control networks and manage internal and external data flows. |
| 14 | 14 | Network/Environment | Threat Protection | The Organization bases threat protections primarily on known threats and static traffic filtering. | The Organization includes basic analytics to proactively discover threats. | The Organization integrates machine learning-based threat protection and filtering with context-based signals. | A network refers to an open communications medium, including the organization's internal networks, wireless networks, and the Internet, used to transport messages. Organizations should segment and control networks and manage internal and external data flows. |
| 15 | 15 | Network/Environment | Encryption | The Organization explicitly encrypts minimal internal or external traffic. | The Organization encrypts all traffic to internal applications, as well as some external traffic. | The Organization encrypts all traffic to internal and external locations, where possible. | A network refers to an open communications medium, including the organization's internal networks, wireless networks, and the Internet, used to transport messages. Organizations should segment and control networks and manage internal and external data flows. |
| 16 | 16 | Network/Environment | Visibility and Analytics Capability | The Organization provides visibility at perimeter with centralized aggregation and analysis. | The Organization integrates analysis across multiple sensor types and positions with manual policy-driven alerts and triggers. | The Organization integrates analysis across multiple sensor types and positions with automated alerts and triggers. | A network refers to an open communications medium, including the organization's internal networks, wireless networks, and the Internet, used to transport messages. Organizations should segment and control networks and manage internal and external data flows. |
| 17 | 17 | Network/Environment | Automation and Orchestration Capability | The Organization manually initiates and executes network and environment changes following change management workflows. | The Organization uses automated workflows to manually initiate network and environment changes. | The Organization network and environment configurations use infrastructure-as-code, with pervasive automation, following (CI/CD) deployment models. | A network refers to an open communications medium, including the organization's internal networks, wireless networks, and the Internet, used to transport messages. Organizations should segment and control networks and manage internal and external data flows. |
| 18 | 18 | Network/Environment | Governance Capability | The Organization uses manual policies to identify sanctioned networks, devices, and services, with manual discovery and remediation of unauthorized entities. | The Organization uses manual policies to identify sanctioned networks, devices, and services, with alerts and triggers and manual remediation for unauthorized entities. | The Organization uses automated discovery of networks, devices, and services, with manual or dynamic authorization and automated remediation of unauthorized entities. | A network refers to an open communications medium, including the organization's internal networks, wireless networks, and the Internet, used to transport messages. Organizations should segment and control networks and manage internal and external data flows. |
| 19 | 19 | Application Workload | Access Authorization | The Organization’s access to applications is primarily based on local authorization and static attributes. | The Organization’s access to applications relies on centralized authentication, authorization, monitoring, and attributes. | The Organization continuously authorizes access to applications, considering real-time risk analytics. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 20 | 20 | Application Workload | Threat Protections | The Organization's threat protections have minimal integration with application workflows, applying general purpose protections for known threats. | The Organization has basic integration of threat protections into application workflows, primarily applying protections for known threats with some application-specific protections. | The Organization strongly integrates threat protections into application workflows, with analytics to provide protections that understand and account for application behavior. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 21 | 21 | Application Workload | Accessibility | Some critical cloud applications are directly accessible to users over the internet, with all others available through a virtual private network (VPN). | All cloud applications and some on-premises applications are directly accessible to users over the internet, with all others available through a VPN. | All applications are directly accessible to users over the internet. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 22 | 22 | Application Workload | Application Security | The Organization performs application security testing prior to deployment, primarily through static and manual testing methods. | The Organization integrates application security testing into the application development and deployment process, including the use of dynamic testing methods. | The Organization integrates application security testing throughout the development and deployment process, with regular automated testing of deployed applications. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 23 | 23 | Application Workload | Visibility and Analytics Capability | The Organization performs application health and security monitoring in isolation of external sensors and systems. | The Organization performs application health and security monitoring in context with some external sensors and systems. | The Organization performs continuous and dynamic application health and security monitoring with external sensors and systems. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 24 | 24 | Application Workload | Automation and Orchestration Capability | The Organization establishes application hosting location and access at provisioning. | Applications can inform device and network components of changing state. | Applications adapt to ongoing environmental changes for security and performance optimization. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 25 | 25 | Application Workload | Governance Capability | The Organization has legacy policies and conducts manual enforcement for software development, software asset management, security tests and evaluations (ST&E) at technology insertion, and tracking software dependencies. | The Organization has updated policies and centralized enforcement. | The Organization has updated policies and dynamic enforcement. | Applications and workloads include organization systems, computer programs, and services that execute on-premise, as well as in a cloud environment. Organizations should secure and manage the application layer as well as containers and provide secure application delivery. |
| 26 | 26 | Data | Inventory Management | The Organization manually categorizes data and has poor data inventorying, leading to inconsistent categorization. | The Organization primarily inventories data manually with some automated tracking. The Organization performs data categorization using a combination of manual and static analysis methods. | The Organization continuously inventories data with robust tagging and tracking. The Organization augments categorization with machine learning models. | The Organization data should be protected on devices, in applications, and networks. Organizations should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. |
| 27 | 27 | Data | Access Determination | The Organization governs access to data by using static access controls. | The Organization governs access to data using least privilege controls that consider identity, device risk, and other attributes. | The Organization’s access to data is dynamic, supporting just-in-time and just-enough principles, and continual risk-based determinations. | The Organization data should be protected on devices, in applications, and networks. Organizations should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. |
| 28 | 28 | Data | Encryption | The Organization primarily stores data in on-premises data stores and where they are unencrypted at rest. | The Organization stores data in cloud or remote environments where they are encrypted at rest. | The Organization encrypts all data at rest. | The Organization data should be protected on devices, in applications, and networks. Organizations should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. |
| 29 | 29 | Data | Visibility and Analytics Capability | The Organization has limited data inventories that prevent useful visibility and analytics except possibly in specific circumstances. | Most of the organization’s data are inventoried and can be accounted for since the last inventory update. Analytics are limited to plaintext data. | The Organization’s data are inventoried and can always be accounted for. The Organization logs and analyzes all access events for suspicious behaviors. The Organization perform analytics on encrypted data. | The Organization data should be protected on devices, in applications, and networks. Organizations should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. |
| 30 | 30 | Data | Automation and Orchestration Capability | The Organization lacks consistent categorization and labeling, which prevents automation and orchestration. Some data management tasks run automatically. | The Organization runs scheduled audits that locate high-value data and analyze access controls. There is limited automatic orchestration to apply controls and ensure backups are in place. | The Organization automatically enforces strict access controls for high-value data. All high-value data is backed up regardless of its storage location. Data inventories are automatically updated. | The Organization data should be protected on devices, in applications, and networks. Organizations should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. |
| 31 | 31 | Data | Governance Capability | The Organization largely enforces data protection and handling policies through administrative controls. Data categorization and data access authorizations are largely defined by distributed decision making. | The Organization enforces data protections through mostly technical and some administrative controls. Data categorization and data access authorizations are defined with a method that better integrates diverse data sources. | The Organization automatically always enforces data protections required by policy. Data categorization and data access authorizations are defined using a fully unified approach that integrates data, independent of source. | The Organization data should be protected on devices, in applications, and networks. Organizations should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. |
| AID | Category |
Information Technology & Cybersecurity Training and Consulting