1. Introduction: The NIST Ransomware Risk Management Profile (NISTIR 8374)
Ransomware has evolved from opportunistic malware into a professionalised, extortion-driven criminal ecosystem that now routinely combines data encryption, data exfiltration, distributed denial of service and public shaming (the so-called quadruple-extortion model). In response, the National Institute of Standards and Technology (NIST) published the Ransomware Risk Management: A Cybersecurity Framework Profile, catalogued as NIST Internal/Interagency Report (NISTIR) 8374. First released as a preliminary draft in June 2021 and finalised in February 2022, the document is a purpose-built Profile of the NIST Cybersecurity Framework (CSF) that curates and prioritises the specific CSF outcomes most effective at preventing, detecting, responding to and recovering from ransomware events.
NISTIR 8374 is not a new, free-standing standard with its own control catalogue. It is a lens applied over the CSF. It selects the CSF Subcategories that materially reduce ransomware risk, maps each to authoritative Informative References (NIST SP 800-53 Rev. 5, CIS Controls, ISO/IEC 27001, COBIT, ISA/IEC 62443 and others), and organises them under the five familiar CSF Functions: Identify, Protect, Detect, Respond and Recover. It is deliberately outcome-based and technology-neutral, so that an organisation of any size or sector can adopt it. This guide provides an auditor-grade, implementer-ready walkthrough for CyberSigma clients seeking to assess, uplift and evidence their ransomware resilience against the Profile.
2. What is the NIST Ransomware Risk Management Profile?
The Ransomware Profile is a CSF Profile — a curated alignment of the Framework Core (Functions, Categories and Subcategories) with a specific business objective, in this case managing ransomware risk. NIST calls out a Current Profile (where an organisation stands today) and a Target Profile (the desired ransomware-resilient state). The gap between the two drives a prioritised action plan. NISTIR 8374 supplies a ready-made Target Profile: a filtered set of CSF Subcategories that NIST considers the highest-value defences and recovery capabilities against ransomware.
The Profile pursues two complementary goals. First, help organisations gauge their level of readiness to counter ransomware threats and deal with the potential consequences of an event. Second, help them identify and prioritise opportunities for improving ransomware resilience through a structured, repeatable, CSF-aligned method. It intentionally leans on the CSF because most organisations already know or use the CSF, allowing the Profile to slot into existing governance rather than imposing a parallel regime.
NISTIR 8374 also front-loads a set of concrete, plain-language basic preventative steps — for example, keeping systems patched, using allowlisting, restricting administrative privileges, blocking macros, avoiding personal apps on work devices and continuously training staff. These 'quick wins' are technology-neutral hygiene measures that materially cut ransomware risk before an organisation even begins the deeper CSF Subcategory work.
| Attribute | Detail |
|---|---|
| Full title | Ransomware Risk Management: A Cybersecurity Framework Profile |
| Identifier | NISTIR 8374 (also published as NIST IR 8374) |
| Issuer | National Institute of Standards and Technology (NIST), U.S. Department of Commerce |
| Draft / final | Preliminary draft June 2021; final published 24 February 2022 |
| Basis | NIST Cybersecurity Framework v1.1 (April 2018) — five Functions |
| Nature | Voluntary Profile / guidance, not a mandatory regulation |
| Companion mapping | NISTIR 8374 was later re-expressed against CSF 2.0 in the NIST CSF 2.0 Ransomware Community Profile (Feb 2024) |
| Scope | All sectors and organisation sizes; IT and, where applicable, OT/ICS |
3. Who must comply / scope of applicability
NISTIR 8374 is voluntary. No statute mandates the Profile by name. However, it is functionally significant because it distils the ransomware-relevant subset of the CSF, and the CSF is referenced or required across many regulatory and contractual regimes. Organisations adopt the Ransomware Profile either directly, or because an overarching obligation (a cyber-insurance questionnaire, a customer contract, a sector regulator, or an executive directive) demands demonstrable ransomware resilience that the Profile conveniently structures.
| Organisation type | Why the Profile applies |
|---|---|
| U.S. federal agencies | CSF alignment is expected under Executive Order 14028 and OMB guidance; ransomware resilience is a stated national priority. |
| Critical infrastructure operators | Energy, water, healthcare, financial services and transport face ransomware as a top systemic threat; the Profile operationalises CSF for them. |
| Private enterprises of any size | The Profile is explicitly written for small, medium and large organisations; SMBs use the basic preventative steps, enterprises use the full Subcategory set. |
| Cyber-insurance applicants | Insurers increasingly require evidence of backups, MFA, EDR, patching and IR plans — precisely the Profile's outcomes — before binding or renewing coverage. |
| Supply-chain vendors | Customers flow down ransomware-resilience clauses; vendors use the Profile to answer third-party risk assessments consistently. |
| Regulated firms (indirect) | Where a regulator references the CSF (e.g. HIPAA Security Rule guidance, NYDFS, sector frameworks), the Ransomware Profile provides a targeted assurance path. |
- Applicability is by risk exposure, not by legal compulsion — any entity that stores, processes or depends on digital assets is in scope.
- The Profile is medium-agnostic: it applies equally to on-premises, cloud, hybrid and operational-technology environments.
- Third parties, managed service providers and outsourced IT are in scope; ransomware frequently enters via the supply chain and MSPs.
- Size scales the depth, not the applicability: micro-businesses focus on the preventative basics; enterprises implement the full Current-to-Target Profile programme.
4. Structure of the Ransomware Profile
The Profile inherits the CSF Core architecture. At the top sit the five Functions. Each Function decomposes into Categories, and each Category into Subcategories — the granular outcome statements that are the true unit of assessment. NISTIR 8374 selects the Subcategories most relevant to ransomware (it does not use every CSF Subcategory) and, for each, lists Informative References that tell an implementer where an authoritative control exists. The table below shows the five Functions, their intent in a ransomware context, and the CSF Category identifiers that fall under each.
| Function (ID) | Ransomware intent | Constituent CSF Categories (IDs) |
|---|---|---|
| Identify (ID) | Understand assets, data, risks and supply chain so ransomware exposure is known and governed. | Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), Risk Management Strategy (ID.RM), Supply Chain Risk Management (ID.SC) |
| Protect (PR) | Prevent initial access, lateral movement, privilege abuse and data loss. | Identity Management & Access Control (PR.AC), Awareness & Training (PR.AT), Data Security (PR.DS), Information Protection Processes & Procedures (PR.IP), Maintenance (PR.MA), Protective Technology (PR.PT) |
| Detect (DE) | Spot ransomware precursors, encryption behaviour and exfiltration early. | Anomalies & Events (DE.AE), Security Continuous Monitoring (DE.CM), Detection Processes (DE.DP) |
| Respond (RS) | Contain the incident, communicate, analyse and mitigate to limit blast radius. | Response Planning (RS.RP), Communications (RS.CO), Analysis (RS.AN), Mitigation (RS.MI), Improvements (RS.IM) |
| Recover (RC) | Restore encrypted/destroyed systems and data from trusted backups and improve. | Recovery Planning (RC.RP), Improvements (RC.IM), Communications (RC.CO) |
5. Master assessment checklist — every Function, Category and ransomware Subcategory
This is the core of the guide. Below, each of the five CSF Functions is broken into its Categories, and for each we enumerate the ransomware-relevant Subcategories selected by NISTIR 8374 with a 'what to verify' and 'typical evidence' pair. Use these tables directly as fieldwork worksheets. No control area is omitted.
5.1 IDENTIFY (ID) — Asset Management & Business Environment
| What to verify | Typical evidence |
|---|---|
| ID.AM-1/2: All physical devices, systems and software platforms are inventoried. | CMDB export, asset register, discovery-tool scan (e.g. network scanner) with last-seen dates. |
| ID.AM-3: Organisational communication and data flows are mapped. | Data-flow diagrams, network architecture diagrams, east-west traffic mapping. |
| ID.AM-5: Resources are prioritised by classification, criticality and business value. | Asset criticality matrix, crown-jewel register, business-impact tagging. |
| ID.AM-6: Cybersecurity roles for the whole workforce and third parties are established. | RACI matrix, role descriptions, third-party responsibility clauses. |
| ID.BE-4/5: Dependencies and resilience requirements for critical services are established. | Business impact analysis (BIA), dependency mapping, defined RTO/RPO per service. |
5.2 IDENTIFY (ID) — Governance, Risk Assessment, Risk Strategy & Supply Chain
| What to verify | Typical evidence |
|---|---|
| ID.GV-1/3: Security policy is established and legal/regulatory requirements are understood. | Approved information security policy, ransomware-specific policy, regulatory register. |
| ID.GV-4: Governance and risk-management processes address cybersecurity risks. | Risk committee charter, risk-register reviews, board reporting cadence. |
| ID.RA-1/2: Asset vulnerabilities are identified and threat intelligence is received. | Vulnerability-scan reports, threat-intel feed subscriptions, ransomware TTP briefings. |
| ID.RA-3/5: Threats, likelihood, impact and risk are determined for ransomware. | Ransomware-specific risk assessment, threat-modelling output, risk scoring. |
| ID.RM-1/2/3: Risk-management processes are agreed and risk tolerance is defined. | Risk appetite statement, risk-tolerance thresholds, treatment decisions. |
| ID.SC-1..5: Supply-chain risk is identified, assessed, contractualised and monitored. | Vendor risk assessments, security clauses, SLA/incident-notification terms, right-to-audit. |
5.3 PROTECT (PR) — Identity Management & Access Control
| What to verify | Typical evidence |
|---|---|
| PR.AC-1: Identities and credentials are managed for devices, users and processes. | IAM inventory, joiner/mover/leaver process, credential-lifecycle records. |
| PR.AC-3: Remote access is managed (a top ransomware entry vector). | VPN config, RDP restriction, zero-trust/VDI policy, exposed-service scan showing no open RDP. |
| PR.AC-4: Access permissions follow least privilege and separation of duties. | Access-review reports, privileged-access management (PAM) logs, admin-tier model. |
| PR.AC-5: Network integrity is protected (segmentation). | VLAN/segmentation design, firewall rulesets, micro-segmentation evidence. |
| PR.AC-7: Users, devices and assets are authenticated commensurate with risk (MFA). | MFA enrolment coverage report, phishing-resistant MFA for admins, conditional-access policy. |
5.4 PROTECT (PR) — Awareness & Training and Data Security
| What to verify | Typical evidence |
|---|---|
| PR.AT-1: All users are informed and trained (anti-phishing). | Training completion rates, phishing-simulation click/report metrics, curriculum. |
| PR.AT-2/3/4: Privileged users, third parties and executives receive tailored training. | Role-specific training records, admin awareness modules, executive tabletop attendance. |
| PR.DS-1: Data-at-rest is protected (encryption). | Disk/database encryption config, key-management records. |
| PR.DS-2: Data-in-transit is protected. | TLS configuration, VPN encryption standards, certificate inventory. |
| PR.DS-3/4: Assets are formally managed and adequate capacity/availability maintained. | Media-handling policy, capacity monitoring, availability SLAs. |
| PR.DS-6: Integrity-checking mechanisms verify software, firmware and data integrity. | File-integrity monitoring (FIM), code-signing, backup-integrity verification. |
5.5 PROTECT (PR) — Information Protection Processes, Maintenance & Protective Technology
| What to verify | Typical evidence |
|---|---|
| PR.IP-1: A baseline configuration (hardening) is created and maintained. | CIS Benchmark / STIG compliance scans, golden-image documentation. |
| PR.IP-4: Backups are conducted, maintained and tested (the single most critical ransomware control). | Backup schedule, immutable/offline/air-gapped copy evidence, restore-test logs, 3-2-1 architecture. |
| PR.IP-9/10: Response and recovery plans exist and are tested. | Incident-response plan, DR plan, tabletop and full-recovery test reports. |
| PR.IP-12: A vulnerability-management plan is developed and executed. | Patch-management policy, SLA-based remediation metrics, exception register. |
| PR.MA-1/2: Maintenance and remote maintenance are performed and logged with approvals. | Change tickets, remote-maintenance authorisation, maintenance logs. |
| PR.PT-1: Audit/log records are determined, documented and reviewed. | Logging standard, retention policy, SIEM coverage report. |
| PR.PT-2/3: Removable media is protected and systems run least-functionality (allowlisting, macro-blocking). | USB-control policy, application allowlisting config, Office macro-blocking GPO. |
| PR.PT-4: Communications and control networks are protected. | Email security (SPF/DKIM/DMARC), web filtering, network access control. |
5.6 DETECT (DE) — Anomalies & Events, Continuous Monitoring, Detection Processes
| What to verify | Typical evidence |
|---|---|
| DE.AE-1: A baseline of network operations and expected data flows is established. | Network baseline documentation, NDR/flow-analytics config. |
| DE.AE-2/3: Detected events are analysed and event data is aggregated and correlated. | SIEM correlation rules, ransomware-behaviour analytics, alert triage records. |
| DE.AE-5: Incident alert thresholds are established. | Alerting thresholds, severity matrix, SOC playbooks. |
| DE.CM-1: Networks are monitored to detect potential cybersecurity events. | NDR/IDS coverage, mass-encryption and canary-file detection alerts. |
| DE.CM-3/4: Personnel activity is monitored and malicious code is detected. | EDR/anti-malware deployment coverage, insider-threat monitoring. |
| DE.CM-7/8: Unauthorised assets/software are monitored and vulnerability scans performed. | Rogue-device detection, scheduled scan reports, unmanaged-asset alerts. |
| DE.DP-1..5: Detection roles, testing, communication and continuous improvement are defined. | SOC RACI, detection-rule test evidence, false-positive tuning records. |
5.7 RESPOND (RS) — Response Planning, Communications & Analysis
| What to verify | Typical evidence |
|---|---|
| RS.RP-1: A ransomware response plan is executed during or after an incident. | Ransomware IR playbook, invocation records, on-call rota. |
| RS.CO-1: Personnel know their roles and order of operations when response is needed. | IR role cards, escalation matrix, contact tree. |
| RS.CO-2: Incidents are reported consistent with established criteria (regulators, law enforcement, insurer). | Reporting criteria, FBI/IC3/CISA and CERT-In notification templates and timelines. |
| RS.CO-3/4/5: Information is shared with stakeholders and voluntary intel-sharing occurs. | Comms plan, stakeholder matrix, ISAC/ISAO membership. |
| RS.AN-1/2/3: Notifications are investigated, impact is understood and forensics performed. | Triage notes, scoping report, forensic acquisition and chain-of-custody records. |
| RS.AN-4/5: Incidents are categorised and vulnerabilities/disclosures are managed. | Incident categorisation, root-cause analysis, patient-zero identification. |
5.8 RESPOND (RS) — Mitigation & Improvements; RECOVER (RC)
| What to verify | Typical evidence |
|---|---|
| RS.MI-1/2: Incidents are contained and mitigated (isolation, credential reset). | Containment logs, network-isolation evidence, mass password reset records. |
| RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks. | Remediation tickets, risk-acceptance sign-off. |
| RS.IM-1/2: Response plans incorporate lessons learned and are updated. | Post-incident review reports, plan version history. |
| RC.RP-1: A recovery plan is executed during or after a ransomware incident. | DR runbook invocation, restoration sequence, RTO/RPO achievement log. |
| RC.IM-1/2: Recovery plans incorporate lessons learned and strategies are updated. | Recovery after-action report, DR-test improvement register. |
| RC.CO-1/2/3: Reputation is managed and recovery is communicated internally and externally. | Public-relations/holding statements, customer notifications, executive briefings. |
6. Scoping, materiality and tiering
Because NISTIR 8374 is voluntary and outcome-based, scoping is driven by materiality — the potential business impact of a ransomware event on a given asset, service or data set — rather than by a legally fixed boundary. Assessors first identify the crown jewels (systems whose encryption or exfiltration would be existential) and ensure the Protect, Detect and Recover Subcategories are applied to them with the greatest rigour. Lower-materiality assets may adopt the basic preventative steps only.
- Materiality drivers: revenue dependency, safety impact (OT/ICS), regulated data volume, RTO/RPO tightness and single points of failure.
- Crown-jewel scoping: domain controllers, backup infrastructure, ERP/finance systems, PACS/EHR in healthcare, SCADA/ICS in utilities.
- Backup-in-scope rule: backup and recovery infrastructure is always in the highest tier — it is the last line of defence and a prime ransomware target.
- Segmentation for scope reduction: strong network segmentation narrows the blast radius and therefore the high-tier scope.
- Third-party scope: MSP-managed and cloud-hosted assets remain in scope via contractual flow-down and shared-responsibility mapping.
7. Implementation approach (phased)
NIST prescribes a Current-Profile → Target-Profile → action-plan method. CyberSigma delivers this across five phases.
Phase 0 — Preventative basics (weeks 0–2)
- Activities: enforce MFA everywhere, patch internet-facing systems, close exposed RDP, block Office macros from the internet, deploy EDR, verify offline/immutable backups.
- Deliverables: quick-wins report, MFA and EDR coverage baseline, exposed-service closure evidence.
Phase 1 — Scoping and Current Profile (weeks 2–5)
- Activities: asset and data-flow discovery, crown-jewel identification, map current state against the NISTIR 8374 Subcategory set.
- Deliverables: asset/crown-jewel register, Current Profile heat-map by Function, materiality tiering.
Phase 2 — Target Profile and gap analysis (weeks 5–8)
- Activities: set desired maturity per Subcategory, quantify Current-to-Target gaps, prioritise by ransomware risk reduction and effort.
- Deliverables: Target Profile, prioritised gap register, risk-ranked remediation roadmap.
Phase 3 — Remediation and control uplift (months 2–6)
- Activities: implement segmentation, PAM, allowlisting, immutable backups, logging/SIEM, IR and DR plans; remediate patch and configuration gaps.
- Deliverables: hardened baselines, tested backups, approved IR/DR playbooks, closed-gap evidence pack.
Phase 4 — Validation, exercise and continuous improvement (ongoing)
- Activities: ransomware tabletop and full-restore exercises, purple-team/adversary emulation, metrics review, periodic re-profiling.
- Deliverables: exercise after-action reports, restore-time evidence, updated Profile, board resilience report.
8. Maturity / capability tiering model
The CSF Implementation Tiers describe the rigour and integration of an organisation's risk-management practices. NISTIR 8374 uses this tiering to express ransomware-readiness maturity. Tiers are not a strict maturity ladder but express degree of adaptiveness; CyberSigma expresses ransomware readiness across these four tiers.
| Tier | Name | Ransomware-readiness characteristics |
|---|---|---|
| Tier 1 | Partial | Ad hoc, reactive; no ransomware plan; backups untested; MFA patchy; no threat intel; recovery is improvised. |
| Tier 2 | Risk Informed | Management-approved practices exist but are not organisation-wide; some backups and MFA; IR plan drafted but rarely exercised. |
| Tier 3 | Repeatable | Formal, documented, consistently applied policies; immutable backups tested regularly; MFA everywhere; SIEM/EDR; IR/DR exercised annually. |
| Tier 4 | Adaptive | Continuous improvement driven by lessons learned and threat intelligence; automated detection/response; frequent restore drills; supply-chain resilience integrated; board-level governance. |
9. Assessment and audit approach
- Confirm scope and objectives: agree assets, business units and whether OT/ICS is included; obtain the crown-jewel register.
- Establish the Target Profile: agree the desired tier per Subcategory with the CISO and risk owners.
- Collect documentation: policies, IR/DR plans, backup and restore-test logs, MFA/EDR coverage, vulnerability and patch reports.
- Interview stakeholders: SOC, IT operations, backup admins, IR lead, third-party managers and executive sponsors.
- Perform technical validation: verify MFA enrolment, backup immutability/air-gap, segmentation, allowlisting, logging and EDR coverage.
- Test recovery: witness or review a restore test against defined RTO/RPO; validate that backups are isolated from production credentials.
- Score the Current Profile: rate each Subcategory against the Target and compute per-Function readiness.
- Identify and rank gaps: map each gap to ransomware kill-chain stage and business impact.
- Report: deliver an executive summary, Function heat-map, prioritised roadmap and evidence appendix.
- Re-profile periodically: reassess after remediation and at least annually, or after any significant incident or architecture change.
10. Evidence request list
Requested evidence, grouped by CSF Function, to support a NISTIR 8374 assessment:
- Identify: asset and software inventory, data-flow diagrams, crown-jewel/BIA register, risk assessment, vendor risk assessments and contracts.
- Protect (access): IAM inventory, MFA coverage report, PAM logs, access-review records, remote-access and segmentation design.
- Protect (data & config): encryption configs, hardened-baseline scans, patch/vulnerability reports, allowlisting and macro-blocking policies.
- Protect (backup): backup schedule, 3-2-1/immutable/air-gap architecture, restore-test logs, backup-credential isolation evidence.
- Protect (people): security-awareness curriculum, training completion rates, phishing-simulation metrics.
- Detect: SIEM/EDR/NDR coverage reports, correlation and ransomware-behaviour rules, alert-triage and tuning records.
- Respond: ransomware IR playbook, escalation matrix, regulator/law-enforcement notification templates, tabletop after-action reports.
- Recover: DR runbook, RTO/RPO definitions and achievement logs, communications/PR plan, post-incident review reports.
- Governance: security policy, risk register, board reporting, insurance policy and pre-agreed IR retainer contracts.
11. Roles and responsibilities
| Role | Ransomware Profile responsibilities |
|---|---|
| Board / Executive | Own ransomware risk appetite, fund resilience, approve IR/DR strategy, oversee crisis decision-making (including any payment stance). |
| CISO / Security Leader | Own the Profile programme, set the Target Profile, report readiness, drive remediation and exercises. |
| IT Operations | Patch, harden baselines, maintain segmentation, manage identity and endpoints. |
| Backup / DR team | Maintain immutable/offline backups, perform and evidence restore tests, own RTO/RPO. |
| SOC / Detection team | Monitor for ransomware precursors and encryption behaviour, triage alerts, run threat intel. |
| Incident Response lead | Execute the ransomware playbook, coordinate containment, forensics and notification. |
| Legal / Compliance | Manage regulatory notifications (CERT-In, sector regulators), sanctions/OFAC checks, breach counsel. |
| Communications / PR | Manage internal, customer and public messaging and reputation during recovery. |
| Third-party / Vendor manager | Flow down resilience requirements, monitor MSP and cloud shared responsibility. |
12. KPIs and metrics to track
- MFA coverage: percentage of users and privileged accounts on phishing-resistant MFA (target 100% for admins).
- Patch latency: mean time to remediate critical/internet-facing vulnerabilities against SLA.
- Backup restore success rate and measured restore time versus RTO/RPO.
- Percentage of backups that are immutable/air-gapped and isolated from production credentials.
- EDR/anti-malware and logging coverage across endpoints and servers.
- Phishing-simulation click rate and report rate trends.
- Mean time to detect (MTTD) and mean time to respond/contain (MTTR/MTTC) for simulated ransomware.
- Percentage of Subcategories at or above the Target tier (Profile closure rate).
- Number of exposed high-risk services (RDP/SMB) reduced to zero.
- Frequency and pass rate of ransomware tabletop and full-restore exercises.
13. Readiness checklist
- Complete asset and data inventory with crown jewels identified and tiered.
- MFA enforced for all users and phishing-resistant MFA for all administrators.
- Internet-facing RDP and unnecessary services closed; attack surface scanned.
- Immutable and/or air-gapped backups configured, isolated from production credentials.
- Backup restores tested within the last quarter against defined RTO/RPO.
- Office macros from the internet blocked and application allowlisting deployed.
- EDR and centralised logging/SIEM deployed across endpoints and servers.
- Network segmentation isolates crown jewels and backup infrastructure.
- Ransomware-specific IR playbook approved, with escalation and notification templates.
- DR plan tested end-to-end at least annually with lessons captured.
- Security-awareness and phishing-simulation programme running for all staff.
- Threat intelligence and ISAC/ISAO feeds integrated into detection.
- Regulator, law-enforcement and insurer notification paths pre-agreed.
- Third-party/MSP and cloud shared-responsibility resilience requirements confirmed.
- Board-level ransomware risk reporting and risk-appetite statement in place.
14. Common gaps and findings
- Backups exist but are online and reachable with domain-admin credentials — encrypted alongside production.
- Restores never tested; RTO/RPO undocumented, so recovery time is unknown until a real incident.
- MFA missing on legacy VPN, RDP or service accounts — the classic ransomware entry point.
- Flat network with no segmentation, allowing a single foothold to reach the entire estate.
- No application allowlisting and Office macros permitted, enabling initial payload execution.
- Patch backlog on internet-facing systems (VPN gateways, mail servers, hypervisors).
- IR plan exists only for generic incidents, with no ransomware-specific playbook or payment-decision framework.
- Logging gaps and short retention prevent forensic scoping and patient-zero identification.
- No pre-agreed IR retainer, forensic firm, breach counsel or insurer notification path.
- Third-party/MSP access over-privileged and unmonitored; shared-responsibility boundaries unclear.
- Executive and privileged-user awareness training absent; no ransomware tabletop exercises.
- Threat intelligence not operationalised into detection rules for known ransomware TTPs.
15. Ransomware Profile mapped to other frameworks
Because NISTIR 8374 is a CSF Profile, it maps cleanly to the frameworks the CSF already references, and to major regulatory regimes. This helps clients reuse a single evidence set across multiple obligations.
| Framework / regime | Relationship to the Ransomware Profile |
|---|---|
| NIST CSF 1.1 / 2.0 | Direct parent; the Profile is a curated subset of CSF Subcategories. A CSF 2.0 Ransomware Community Profile (Feb 2024) re-expresses it, adding the GOVERN function. |
| NIST SP 800-53 Rev. 5 | Primary Informative Reference — provides the concrete controls (AC, CP, SI, IR families) implementing each Subcategory. |
| CIS Controls v8 | Safeguards map to Subcategories; CIS IG1 aligns closely to the basic preventative steps. |
| ISO/IEC 27001:2022 | Annex A controls (e.g. A.8 backup, A.5.7 threat intel, A.8.5 authentication) satisfy Protect/Detect/Recover outcomes. |
| ISA/IEC 62443 | Referenced for OT/ICS ransomware resilience in industrial environments. |
| NIST SP 800-61 / SP 800-184 | Incident-handling and cyber-recovery guidance underpin the Respond and Recover Functions. |
| HIPAA Security Rule (US health) | OCR guidance treats ransomware as a reportable breach; the Profile evidences required safeguards. |
| CERT-In Directions (India, 2022) | 6-hour incident-reporting mandate and 180-day log retention align to RS.CO and PR.PT outcomes. |
| Cyber-insurance controls | Insurer questionnaires (MFA, EDR, immutable backups, IR plan) map almost one-to-one to Profile Subcategories. |
Frequently asked questions
Need help with Ransomware Profile?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
