This phase involves understanding and managing cybersecurity risks by identifying critical assets, systems, and data, and establishing a baseline of Post 288’s current cybersecurity posture. It includes activities such as asset management, analyzing the business environment, compliance with state regulations, risk assessment, managing supply chain risks, and creating an inventory of cybersecurity-related policies and procedures.

Asset Management (ID.AM):

The data, personnel, devices, systems, and facilities that enable Post 288 to achieve its business objectives are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

• ID.AM-1: Physical devices and systems within the organization are inventoried
• ID.AM-2: Software platforms and applications within the organization are inventoried
• ID.AM-3: Organizational communication and data flows are mapped
• ID.AM-4: External information systems are catalogued
• ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
• ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners, sponsors) are established

Business Environment (ID.BE):

Post 288’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

• ID.BE-1: The organization’s role in the supply chain is identified and communicated
• ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
• ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
• ID.BE-4: Dependencies and critical functions for delivery of critical services are established
• ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)

Governance (ID.GV):

The policies, procedures, and processes to manage and monitor Post288’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

• ID.GV-1: Organizational cybersecurity policy is established and communicated
• ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
• ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
• ID.GV-4: Governance and risk management processes address cybersecurity risks

Risk Assessment (ID.RA):

Post 288 understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

• ID.RA-1: Asset vulnerabilities are identified and documented
• ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
• ID.RA-3: Threats, both internal and external, are identified and documented
• ID.RA-4: Potential business impacts and likelihoods are identified
• ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
• ID.RA-6: Risk responses are identified and prioritized

Risk Management Strategy (ID.RM):

Post288’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

• ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
• ID.RM-2: Organizational risk tolerance is determined and clearly expressed
• ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

Supply Chain Risk Management (ID.SC):

Post 288’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

• ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
• ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
• ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
• ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
• ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers