Our Alignment

Core Functions of the NIST Cybersecurity Framework (CSF)

What We Do

runZero supports NIST’s Identify pillar by delivering continuous asset discovery and vulnerability detection through advanced fingerprinting, covering all devices—whether IT, OT, IoT, unmanaged, or unknown.

Your Outcome

This comprehensive visibility ensures organizations eliminate blind spots, prioritize risks, and maintain compliance across their operations, supply chain, and business environment, enabling better informed cybersecurity decisions.

What We Do

runZero supports NIST's Protect pillar by providing continuous asset discovery and identification of exposures beyond traditional vulnerabilities, including missing or weak security controls and attack pathways across IT, OT, and IoT environments.

Your Outcome

This proactive approach helps organizations identify and close gaps, strengthen policies, and harden systems, ensuring that all assets and risks are protected, even as business operations and the threat landscape evolve.

What We Do

runZero supports NIST’s Detect pillar by providing continuous asset discovery and visibility into network topology, helping organizations establish accurate baselines and track changes that are crucial to monitoring and event detection.

Your Outcome

This information helps organizations improve and accelerate their detection processes, strengthen response strategies, and ensure real-time protection across their network, even as devices and workflows change.

What We Do

runZero supports NIST’s Respond pillar by providing deep visibility into affected assets, helping incident response teams to quickly identify compromised systems, determine root cause, and assess the potential scope of compromise.

Your Outcome

This information is crucial in time-sensitive situations enabling swifter and more effective action to incidents, containment of threats, and improvement of future response strategies, based on lessons learned from past events.

What We Do

runZero supports NIST's Recover pillar by delivering critical data and continuous visibility into assets, helping to track impacted systems and ensure they are restored to their original state.

Your Outcome

This visibility is essential not only for recovering from incidents but also for refining future recovery strategies, enhancing organizational resilience, and safeguarding critical infrastructure during disaster recovery situations.

Achieve Compliance

How runZero supports NIST CSF & 800-171 requirements

runZero directly supports many of NIST's provisions related to asset visibility, inventory management, and vulnerability discovery, while also enabling programmatic approaches for protecting environments, detecting events, and responding to incidents. Its robust capabilities provide organizations with a single tool and source of truth across IT, OT, IoT, and external environments, ensuring compliance as operations and threats evolve.

Many of NIST's provisions require the integration of multiple security controls, programs, and policies working together to achieve compliance. runZero indirectly supports several of these provisions by supplying critical elements as part of a broader approach, contributing to compliance efforts that go beyond the specific areas it directly addresses.

Interested in a guided tour?

Support Types:

All

Direct

Indirect

Analysis (RS.AN)

Analysis is conducted to ensure effective response and support recovery activities.

Requirement		Reference	Support	How runZero Helps
RS.AN-1	Notifications from detection systems are investigated	3.3.5 3.6.1 3.6.2	Indirect	Can provide the context and asset information necessary to investigate notifications from detection systems. While it doesn’t directly handle the notifications, it supports the investigation by offering detailed insights into the affected assets.
RS.AN-2	The impact of the incident is understood	3.11.1	Indirect	Helps by identifying which assets are affected and their role within the organization, aiding in understanding the incident’s impact. However, the comprehensive assessment of impact, including business and operational effects, involves broader analysis beyond runZero’s direct capabilities.
RS.AN-3	Forensics are performed		Indirect	Helps support forensic investigation by providing historical asset data, network connections, ownership, vulnerabilities, etc. that supplement root cause determination.
RS.AN-4	Incidents are categorized consistent with response plans	3.6.1 3.6.2	Indirect	Can support incident categorization by providing real-time data on the affected assets and their criticality. This data helps ensure that incidents are categorized appropriately according to the organization’s response plan, though the categorization itself is part of the incident management process.
RS.AN-5	Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)		Indirect	Helps by maintaining an up-to-date inventory of assets and their vulnerabilities, which is crucial for analyzing and responding to disclosed vulnerabilities. However, the processes for receiving and responding to vulnerability disclosures are typically managed by the organization’s security and risk management teams.

Anomalies and Events (DE.AE)

Anomalous activity is detected and the potential impact of events is understood.

Requirement		Reference	Support	How runZero Helps
DE.AE-1	A baseline of network operations and expected data flows for users and systems is established and managed	N/A	Indirect	Provides comprehensive visibility into the organization’s assets and network topology, which helps in establishing a baseline of network operations. While runZero does not directly create or manage these baselines, it ensures that all devices and systems are accounted for, allowing organizations to establish accurate baselines. The management of baselines and monitoring deviations typically involves network monitoring and SIEM tools.
DE.AE-2	Detected events are analyzed to understand attack targets and methods	3.3.1 3.3.2 3.3.5 3.6.1 3.14.6 3.14.7	Indirect	Supports the analysis of detected events by providing detailed information about the assets involved. Understanding the role and configuration of affected assets can provide insights into potential attack targets and methods. However, the actual analysis of events is performed by security analysts using tools like SIEMs, EDRs, or threat intelligence platforms.
DE.AE-3	Event data are collected and correlated from multiple sources and sensors	3.3.5	Indirect	Supports the collection and correlation of event data by providing detailed visibility into the organization's assets, which ensures that all relevant data sources are accounted for. However, the actual process of collecting and correlating event data from multiple sources and sensors is performed by SIEMs and other dedicated security monitoring tools.
DE.AE-4	Impact of events is determined	3.11.1	Indirect	Provides critical information about the assets impacted by an event, such as their role within the organization and their vulnerabilities. This information is vital for determining the potential impact of an event, though the full impact analysis is usually performed by incident response teams using a combination of tools and expertise.
DE.AE-5	Incident alert thresholds are established	3.6.1 3.6.2	Indirect	Provides the necessary visibility and understanding of normal network and asset behavior that informs the setting of incident alert thresholds, although the actual configuration of these thresholds is managed by dedicated security monitoring tools.

Asset Management (ID.AM)

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

Requirement		Reference	Support	How runZero Helps
ID.AM-1	Physical devices and systems within the organization are inventoried	3.4.1	Direct	Scans the external and internal network to identify all connected devices including IT, OT, and IoT Discovers unknown and unmanaged devices ensuring no blind spots Provides an up-to-date inventory of all discovered devices, ensuring accurate and current information Uses advanced fingerprinting capturing deep device details Automatically reflects changes to ensure the inventory stays current even as changes occur
ID.AM-2	Software platforms and applications within the organization are inventoried	3.4.1	Direct	Provides continuous visibility into all software platforms, applications, and associated documentation Enables organizations to establish and maintain baseline configurations for hardware, software, and firmware Tracks changes in software assets to ensure the inventory remains accurate and up to date Supports management of development cycles by providing insight into software and firmware updates
ID.AM-4	External information systems are catalogued	3.1.20 3.1.21	Direct	Identifies and catalogs all external information systems interacting with the organization's network, including cloud services and third-party systems Provides detailed insights into the role and data handling practices of each external system Monitors changes to ensure the catalog of external systems is always up to date Classifies external systems based on business importance and associated risk
ID.AM-5	Resources are prioritized based on their classification, criticality, and business value	N/A	Direct	Discovers and classifies assets by location, ownership, type, hardware, OS, function, and many more attributes Provides complete control for organizations to prioritize assets based on their criticality and risk to the business Supports risk-based prioritization to ensure that the most critical and high-value resources receive appropriate protection and attention
ID.AM-6	Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established	N/A	Indirect	runZero does not directly establish roles and responsibilities, but it can indirectly support this requirement by providing the necessary visibility into the assets and systems for which those roles and responsibilities are assigned. For instance, by ensuring that all hardware, software, and devices are accounted for and managed, runZero helps organizations understand what assets need protection, thereby informing the development of appropriate roles and responsibilities.

Awareness and Training (PR.AT)

The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

Requirement		Reference	Support	How runZero Helps
PR.AT-2	Privileged users understand their roles and responsibilities	3.2.1 3.2.2	Indirect	Can help identify the systems and assets that privileged users have access to, which is critical for defining their roles and responsibilities. By providing a clear map of the organization’s assets and associated risks, runZero can indirectly support the training of privileged users by highlighting the areas they are responsible for securing. The actual training and role definition are handled by the organization.
PR.AT-3	Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities	N/A	Indirect	Provides visibility into the external systems and third-party connections within the organization’s network. This information can be used to educate third-party stakeholders about the assets they interact with and their responsibilities regarding those assets. However, runZero does not directly engage in training or informing third-party stakeholders; this is typically managed through organizational communication and contractual agreements.
PR.AT-4	Senior executives understand their roles and responsibilities	3.2.1 3.2.2	Indirect	Offers critical insights into the organization’s asset landscape, which can be used to inform senior executives about the cybersecurity posture of the organization. These insights can help executives understand their responsibilities regarding risk management and decision-making. However, runZero itself does not directly train or inform senior executives; this is usually handled through executive briefings and strategic communications within the organization.
PR.AT-5	Physical and cybersecurity personnel understand their roles and responsibilities	3.2.1 3.2.2	Indirect	Detailed visibility into the network and assets, which is crucial for cybersecurity personnel in understanding the scope of their responsibilities. By identifying and monitoring critical assets, runZero supports the operational tasks of cybersecurity personnel, ensuring they are aware of the systems they must protect. However, the direct training and role definition are managed by the organization’s training and human resources teams.

Business Environment (ID.BE)

The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

Requirement		Reference	Support	How runZero Helps
ID.BE-1	The organization’s role in the supply chain is identified and communicated	N/A	Indirect	Can help identify and catalog the systems and assets that are part of the organization’s supply chain, which is essential for understanding the organization's role. However, the communication aspect of this requirement is beyond the direct capabilities of runZero, as it is more about organizational governance and communication strategies.
ID.BE-2	The organization’s place in critical infrastructure and its industry sector is identified and communicated	N/A	Indirect	Provides detailed visibility into the assets and systems within the organization, which is critical for understanding how the organization fits within the larger industry sector and critical infrastructure. This information supports the identification process, but communicating this role is typically handled through organizational governance rather than runZero’s core functionality.
ID.BE-3	Priorities for organizational mission, objectives, and activities are established and communicated	N/A	Indirect	While runZero is not directly responsible for setting or communicating organizational priorities, it provides essential data about assets and systems that can inform these priorities. For example, by understanding which systems are most critical to operations, the organization can better align its mission and objectives.
ID.BE-4	Dependencies and critical functions for delivery of critical services are established	N/A	Indirect	runZero can help map out dependencies between different systems and assets, identifying which are critical for the delivery of key services. By doing so, it directly supports the establishment of dependencies and critical functions, ensuring that the organization has a clear understanding of what is essential for service delivery.
ID.BE-5	Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)	N/A	Indirect	runZero provides the visibility and monitoring necessary to identify critical assets and their roles, which can be used to establish resilience requirements. However, implementing resilience strategies across all operating states is a broader organizational task that includes not just asset management but also disaster recovery planning, business continuity management, and incident response—all of which are informed by the data runZero provides.

Respond - Communications (RS.CO)

Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).

Requirement		Reference	Support	How runZero Helps
RS.CO-1	Personnel know their roles and order of operations when a response is needed	3.6.3	Indirect	Help ensure that the necessary asset information is available during an incident, supporting personnel in understanding their roles and responsibilities related to specific systems. However, the direct training of personnel and the establishment of operational procedures are beyond runZero's scope.
RS.CO-2	Incidents are reported consistent with established criteria	3.6.2	Indirect	Can assist in gathering the necessary data about assets and their status during an incident, which is crucial for consistent reporting. However, the actual criteria for incident reporting and the process of reporting are managed by the organization’s incident response team.
RS.CO-3	Information is shared consistent with response plans	N/A	Indirect	Provides valuable insights into the state of the organization’s assets during an incident, which can be shared according to the response plan. However, the responsibility for information sharing according to response plans lies with the incident response team.
RS.CO-4	Coordination with stakeholders occurs consistent with response plans	3.6.1	Indirect	Can support coordination efforts by providing clear visibility into the affected assets and systems. However, the coordination process itself, especially with external stakeholders, is managed by the incident response or crisis management team.

Data Security (PR.DS)

Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

Requirement		Reference	Support	How runZero Helps
PR.DS-1	Data-at-rest is protected	3.1.19 3.8.1 3.8.9 3.13.10 3.13.16	Indirect	While runZero does not directly protect data-at-rest, it helps identify all devices and systems where data is stored, allowing organizations to ensure that proper protections are in place for data-at-rest (such as encryption). The actual protection mechanisms, like encryption and access controls, are handled by other tools and systems.
PR.DS-2	Data-in-transit is protected	3.1.13 3.1.17 3.8.5 3.13.8 3.13.10	Indirect	Helps map out data flows and network communications, allowing organizations to identify where data-in-transit may be vulnerable. However, the direct protection of data-in-transit, such as encryption during transmission, is handled by other security systems (e.g., VPNs, SSL/TLS, etc.).
PR.DS-3	Assets are formally managed throughout removal, transfers, and disposition	3.4.1 3.8.1 3.8.2 3.8.3 3.8.5	Direct	Identifies and tracks assets throughout their entire lifecycle, including removal, transfer, and disposition Ensures all assets are accounted for during these processes to avoid gaps in asset management Supports secure decommissioning or relocation of assets to maintain control and security throughout their transition
PR.DS-4	Adequate capacity to ensure availability is maintained	N/A	Indirect	Provides visibility into the number and types of assets within the network, which can inform capacity planning. While runZero itself doesn’t manage capacity, its insights into asset inventory and network traffic can help identify potential bottlenecks or over-usage that might affect availability.
PR.DS-5	Protections against data leaks are implemented	3.1.4 3.1.13 3.2.3 3.9.2 3.13.1 3.13.5 3.13.6 3.13.7 3.13.8 3.13.11 3.13.16 3.14.6	Indirect	Helps by identifying and monitoring devices and systems that handle sensitive data, making it easier to ensure that data leak protection (DLP) measures are applied correctly. However, the implementation of specific protections against data leaks, such as DLP systems, is managed by other tools.
PR.DS-6	Integrity checking mechanisms are used to verify software, firmware, and information integrity	N/A	Indirect	Can identify and catalog the software and firmware versions running on devices, which helps ensure that integrity checks are applied to critical assets. However, the actual integrity-checking mechanisms, such as hash verification or software signing, are typically implemented by other systems.
PR.DS-7	The development and testing environment(s) are separate from the production environment	N/A	Indirect	Can help organizations identify and differentiate between development, testing, and production environments by mapping out connected systems. This visibility helps ensure that these environments remain properly segmented, though the enforcement of this separation is managed by network segmentation and access control systems.
PR.DS-8	Integrity checking mechanisms are used to verify hardware integrity	N/A	Indirect	Provides comprehensive visibility into hardware assets, helping organizations monitor and track hardware changes. While runZero does not perform integrity checks directly, the asset inventory it provides can support hardware integrity checks, ensuring that the correct hardware is in place and functioning as expected.

Detection Processes (DE.DP)

Requirement		Reference	Support	How runZero Helps
DE.DP-1	Roles and responsibilities for detection are well defined to ensure accountability	N/A	Indirect	Provides essential visibility into the organization's assets and their associated risks. This information can help organizations assign specific detection responsibilities to the appropriate personnel by making it clear which assets need monitoring and who should be accountable for them. The actual definition of roles and responsibilities is typically handled by the organization’s security management and governance teams.
DE.DP-2	Detection activities comply with all applicable requirements	3.12.1 3.12.3 3.14.6 3.14.7	Indirect	Helps ensure that detection activities comply with applicable requirements by providing a complete and accurate inventory of assets that need to be monitored. This visibility helps ensure that all relevant systems are included in detection activities and that compliance with industry standards and organizational policies is maintained. However, the specific compliance checks and audits are managed by the organization’s compliance and security teams.
DE.DP-3	Detection processes are tested	3.10.4 3.12.1 3.12.3	Indirect	Can support the testing of detection processes by providing visibility into network changes and ensuring that all assets are accounted for during testing. This can help validate that detection processes are effectively identifying potential threats across the organization’s assets. The actual testing and validation processes are typically conducted by the organization’s security operations team or an external auditor.
DE.DP-4	Event detection information is communicated	N/A	Indirect	Contributes to the communication of event detection information by providing real-time insights into the status of assets and detected vulnerabilities. This information can be shared with relevant stakeholders to keep them informed about potential risks and detected events. However, the formal communication process and channels are established and managed by the organization’s incident response and communication teams.
DE.DP-5	Detection processes are continuously improved	N/A	Indirect	Provides ongoing visibility into the organization's assets and their vulnerabilities, which is critical for identifying areas where detection processes can be improved. By analyzing data from past incidents and continuously monitoring the network, runZero can help inform improvements to detection strategies. However, the actual process of improving detection methods involves broader security management efforts that go beyond runZero’s direct capabilities.

Governance (ID.GV)

The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

Requirement		Reference	Support	How runZero Helps
ID.GV-1	Organizational cybersecurity policy is established and communicated	N/A	Indirect	runZero supports the enforcement of cybersecurity policies by providing visibility into assets, devices, and systems, which are critical components of any cybersecurity framework. However, the actual establishment and communication of the cybersecurity policy are tasks for the organization's governance and leadership teams, not directly within runZero's functionality.
ID.GV-2	Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners	N/A	Indirect	While runZero does not directly manage roles and responsibilities, it provides essential data about the assets and systems that various cybersecurity roles will be responsible for protecting. This information can be used to inform and align the responsibilities of internal teams and external partners, ensuring that everyone is aware of the assets they need to secure.
ID.GV-3	Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed	N/A	Indirect	runZero provides detailed inventories and visibility into systems that can help organizations understand which assets are subject to legal and regulatory requirements. By knowing what data and systems are in place, organizations can better manage compliance with cybersecurity laws and regulations. However, the interpretation and management of these legal requirements fall under the organization’s legal and governance teams.
ID.GV-4	Governance and risk management processes address cybersecurity risks	N/A	Indirect	runZero plays a critical role in providing the data needed to identify and assess cybersecurity risks, which are key inputs into governance and risk management processes. By continuously monitoring and reporting on asset status and vulnerabilities, runZero supports risk management efforts. However, the broader governance and risk management processes are typically managed by a dedicated team within the organization, informed by the data runZero provides.

Identity Management, Authentication and Access Control (PR.AC)

Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Requirement		Reference	Support	How runZero Helps
PR.AC-1	Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes	3.5.1 3.5.2 3.5.5 3.5.6 3.5.7 3.5.8 3.5.9 3.5.10 3.5.11	Indirect	While runZero does not manage identities and credentials directly, it provides critical visibility into the assets and devices that require credential management. This information can be used to ensure that all necessary devices are included in identity and access management (IAM) processes. However, the issuance, management, and auditing of identities and credentials are typically handled by IAM systems.
PR.AC-3	Remote access is managed	3.1.1 3.1.2 3.1.14 3.1.15 3.1.18 3.1.20 3.13.9 3.13.12	Indirect	Helps identify and monitor devices that have remote access capabilities, ensuring that these devices are properly accounted for and managed within the organization's remote access policies. While runZero provides the necessary visibility, the actual management of remote access, including VPNs and secure access gateways, is typically handled by other systems.
PR.AC-4	Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties	3.1.1 3.1.2 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.10 3.1.11 3.5.3 3.5.4 3.13.3 3.13.4	Indirect	Assists in identifying and categorizing assets, which can inform the management of access permissions and authorizations. The tool ensures that all devices and systems are accounted for, making it easier to enforce the principles of least privilege and separation of duties. However, the actual management of access permissions is usually handled by access control systems or IAM solutions.
PR.AC-5	Network integrity is protected (e.g., network segregation, network segmentation)	3.1.3 3.13.1 3.13.2 3.13.5 3.13.6 3.13.7	Direct	Provides detailed visibility into the entire network, mapping out the topology Identifies network segments and zones for better understanding and control Ensures network integrity by enabling proper segregation and segmentation of the network
PR.AC-7	Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)	N/A	Indirect	Provides visibility into all assets within the network, which supports the management and enforcement of authentication requirements. While runZero does not handle authentication directly, it ensures that all devices and assets are properly identified and categorized, which is essential for implementing appropriate authentication mechanisms.

Information Protection Processes and Procedures (PR.IP)

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

Requirement		Reference	Support	How runZero Helps
PR.IP-1	A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)	3.4.1 3.4.2 3.4.6 3.4.7 3.4.8	Indirect	Provides detailed visibility into all assets and their configurations, which is essential for establishing and maintaining baseline configurations. By continuously monitoring and documenting the current state of systems, runZero helps ensure that the baseline configurations reflect the actual environment and incorporate security principles like least functionality. However, the actual creation and enforcement of these baselines are managed by configuration management tools and processes.
PR.IP-2	A System Development Life Cycle to manage systems is implemented	N/A	Indirect	Can support the SDLC by ensuring that all assets and their configurations are accurately tracked throughout the system’s life cycle, which is critical for maintaining security and compliance.
PR.IP-3	Configuration change control processes are in place	3.4.3 3.4.4 3.4.5	Indirect	Helps detect unauthorized or unexpected configuration changes, providing a critical layer of oversight to configuration change control processes. While runZero does not manage change control processes directly, it ensures that any changes made are visible and can be audited.
PR.IP-4	Backups of information are conducted, maintained, and tested	N/A	Indirect	By providing visibility into the organization’s assets, it helps ensure that all relevant systems are included in the backup processes and that their configurations are known and documented for recovery purposes.
PR.IP-6	Data is destroyed according to policy	3.8.3	Indirect	Can help identify assets and data that need to be securely destroyed, it does not perform the actual data destruction. This process is typically managed by IT and compliance teams, according to organizational policies.
PR.IP-7	Protection processes are improved	N/A	Indirect	Supports the continuous improvement of protection processes by providing insights into asset vulnerabilities and changes in the network. This information can inform updates to security controls and processes, ensuring they remain effective against emerging threats.
PR.IP-8	Effectiveness of protection technologies is shared	N/A	Indirect	Can provide data on how well assets are being protected by existing technologies, which can be shared with stakeholders to assess and improve protection measures. However, the actual sharing and communication processes are managed by the organization’s security leadership.
PR.IP-9	Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed	3.6.1 3.6.2	Indirect	Provides essential data that can inform the development and management of response and recovery plans. By ensuring visibility into all assets, runZero helps organizations understand their dependencies and the potential impact of incidents, which is crucial for effective planning. The management of these plans, however, is conducted by the organization's incident response and business continuity teams.
PR.IP-10	Response and recovery plans are tested	3.6.3	Indirect	Asset visibility ensures that all relevant systems are included in response and recovery plan tests. This visibility helps validate that the plans are comprehensive and effective. However, the actual testing of these plans is managed by the organization’s incident response and disaster recovery teams.
PR.IP-11	Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)	3.9.1 3.9.2	Indirect	Supports the inclusion of cybersecurity in human resources practices by providing visibility into assets and user access. This visibility ensures that deprovisioning and access revocation processes are thorough and effective, reducing the risk of unauthorized access by former employees or those who have changed roles. However, the direct management of HR practices, such as personnel screening and policy enforcement, is handled by the organization's HR and security teams.
PR.IP-12	A vulnerability management plan is developed and implemented	3.11.2 3.11.3 3.12.2 3.12.3 3.14.1 3.14.2 3.14.3	Direct	Continuously identifies and documents vulnerabilities across all assets within the organization Provides comprehensive and up-to-date vulnerability data to inform security decisions Helps prioritize and address vulnerabilities based on severity, supporting a broader security strategy Ensures vulnerabilities are managed as part of an organization's overall vulnerability management plan

Maintenance (PR.MA)

Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

Requirement		Reference	Support	How runZero Helps
PR.MA-1	Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools	3.7.1 3.7.2 3.7.3 3.7.4 3.7.6	Indirect	While runZero does not directly log maintenance activities, it can help identify which assets require maintenance and verify that the assets have been restored to their proper configuration after maintenance is performed. The actual logging of maintenance activities and the use of approved tools are managed by the organization’s IT and operations teams.
PR.MA-2	Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access	3.7.5	Indirect	Helps monitor and verify the status of assets before, during, and after remote maintenance activities. This ensures that unauthorized access is not gained during the maintenance process and that the assets are returned to a secure state afterward. However, runZero does not handle the approval or logging of remote maintenance activities directly; this is typically managed by the organization’s IT management systems and security policies.

Mitigation (RS.MI)

Activities are performed to prevent expansion of an event and mitigate its effects

Requirement		Reference	Support	How runZero Helps
RS.MI-1	Incidents are contained	3.6.1 3.6.2	Indirect	Provides the necessary visibility into the network and assets that are critical for containing an incident. By identifying affected systems, runZero helps teams quickly isolate and contain threats, though the actual containment actions are executed by the incident response team.
RS.MI-2	Incidents are mitigated	3.6.1 3.6.2	Indirect	Supports the mitigation of incidents by providing comprehensive visibility into the affected assets and their vulnerabilities. During an incident, runZero can help identify the systems and devices involved, determine their current status, and reveal any vulnerabilities that may be exploited. This information is vital for the incident response team to prioritize and implement mitigation actions, such as isolating affected assets, applying patches, or reconfiguring security settings.
RS.MI-3	Newly identified vulnerabilities are mitigated or documented as accepted risks	3.11.1 3.11.2 3.11.3 3.12.2 3.12.4 3.14.1	Direct	Continuously identifies new vulnerabilities across assets Supports swift mitigation of vulnerabilities, aligning with the organization’s risk management strategy Enables documentation of vulnerabilities as accepted risks when appropriate Ensures newly discovered vulnerabilities are addressed promptly through ongoing monitoring

Protective Technology (PR.PT)

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Requirement		Reference	Support	How runZero Helps
PR.PT-1	Audit/log records are determined, documented, implemented, and reviewed in accordance with policy	3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9	Indirect	Provides visibility into assets and network activity, which can help ensure that all relevant systems are included in logging and audit processes.
PR.PT-2	Removable media is protected and its use restricted according to policy	3.8.1 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 3.8.7 3.8.8	Indirect	Can identify devices and systems that have access to or interact with removable media, allowing the organization to enforce and monitor policies regarding its use. While runZero does not directly protect or restrict the use of removable media, it provides the asset visibility needed to ensure that these policies are applied consistently across the network.
PR.PT-3	The principle of least functionality is incorporated by configuring systems to provide only essential capabilities	3.1.1 3.1.2 3.4.6 3.4.7 3.4.8	Indirect	Helps identify all active services, software, and configurations across the organization's assets, which supports the application of the principle of least functionality. By providing a comprehensive view of what is running on each system, runZero helps ensure that only essential functions are enabled, and unnecessary services are disabled. The actual configuration and enforcement of least functionality are managed by the IT and security teams.
PR.PT-4	Communications and control networks are protected	3.1.16 3.1.17 3.13.1 3.13.2 3.13.5 3.13.6 3.13.7 3.13.15	Indirect	Provides detailed visibility into the network, including communication paths and control networks. This visibility helps identify potential vulnerabilities or areas that require additional protection measures. While runZero does not directly protect communications and control networks, it provides the necessary insights for the security team to implement protective measures effectively.
PR.PT-5	Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations	N/A	Indirect	Can help monitor the status and configuration of critical systems involved in resilience mechanisms, such as load balancing and failover configurations. By ensuring that these systems are correctly identified and monitored, runZero supports the organization’s efforts to maintain resilience. However, the implementation and management of these mechanisms are handled by specialized IT infrastructure teams.

Recover - Communications (RC.CO)

Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

Requirement		Reference	Support	How runZero Helps
RC.CO-3	Recovery activities are communicated to internal and external stakeholders as well as executive and management teams	3.6.1 3.6.2	Indirect	Can generate detailed reports and provide real-time visibility into the recovery process, which can be communicated to internal and external stakeholders. These reports help ensure that all parties are informed about the recovery status, actions taken, and progress towards full restoration.

Recover - Improvements (RC.IM)

Recovery planning and processes are improved by incorporating lessons learned into future activities.

Requirement		Reference	Support	How runZero Helps
RC.IM-1	Recovery plans incorporate lessons learned	3.6.1 3.6.2	Indirect	Can provide post-incident reports that highlight asset vulnerabilities, the effectiveness of the response, and areas where improvements are needed.
RC.IM-2	Recovery strategies are updated	3.6.1 3.6.2	Indirect	By analyzing data from incidents and tracking changes in the asset inventory, runZero can inform updates to recovery strategies. This includes identifying new vulnerabilities or changes in the network that may require adjustments to the existing recovery strategies.

Recovery Planning (RC.RP)

Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

Requirement		Reference	Support	How runZero Helps
RC.RP-1	Recovery plan is executed during or after a cybersecurity incident	3.6.1 3.6.2	Indirect	provides essential visibility into the organization's assets and their status, which is critical during the execution of a recovery plan. While runZero does not execute recovery plans directly, it can help identify affected assets, track the recovery progress, and ensure that all systems are accounted for during the recovery process.

Respond - Improvements (RS.IM)

Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

Requirement		Reference	Support	How runZero Helps
RS.IM-1	Response plans incorporate lessons learned	3.6.1 3.6.2	Indirect	Provides data on what assets were involved in an incident and how they were impacted, which is valuable for incorporating lessons learned into response plans. However, the process of updating and refining the response plans based on these lessons is managed by the incident response and risk management teams.
RS.IM-2	Response strategies are updated	3.6.2	Indirect	Helps inform updates to response strategies by providing insights into asset vulnerabilities and incident impact. The actual updating of response strategies is part of the broader incident management process.

Response Planning (RS.RP)

Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

Requirement		Reference	Support	How runZero Helps
RS.RP-1	Response plan is executed during or after an incident	3.6.2	Indirect	Supports the execution of a response plan during or after an incident by providing critical visibility into the affected assets and their current status. During an incident, runZero can help the incident response team quickly identify which systems are compromised, understand the scope of the incident, and prioritize response actions based on the asset inventory and network topology it provides. This real-time asset information is essential for effectively executing a response plan.

Risk Assessment (ID.RA)

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

Requirement		Reference	Support	How runZero Helps
ID.RA-1	Asset vulnerabilities are identified and documented	3.11.1 3.11.2 3.12.1 3.12.3 3.14.1 3.14.3 3.14.6 3.14.7	Direct	Detects a wide range of vulnerabilities and unconventional exposures often missed by traditional scanners Identifies outdated software versions and misconfigurations that pose security risks Monitors for new vulnerabilities and issues real-time alerts to notify teams of potential threats Generates reports on vulnerability types, severity, and provides recommended actions for remediation Ensures that vulnerability identification is an ongoing process, maintaining up-to-date security postures
ID.RA-3	Threats, both internal and external, are identified and documented	3.11.1 3.14.1 3.14.3	Indirect	Helps identify internal threats by providing visibility into the organization's assets and detecting vulnerabilities that could be exploited. However, it does not directly document external threats unless those threats are directly related to the vulnerabilities found within the assets it monitors.
ID.RA-4	Potential business impacts and likelihoods are identified	3.11.1	Indirect	Provides critical data on the organization's assets and their vulnerabilities, which can inform assessments of potential business impacts and likelihoods. While runZero itself does not perform business impact analysis, the information it provides is essential for conducting such assessments by highlighting which assets are at risk and the severity of those risks.
ID.RA-5	Threats, vulnerabilities, likelihoods, and impacts are used to determine risk	3.11.1	Indirect	Directly identifies vulnerabilities across the organization’s assets, which are a key component of risk determination. While runZero provides the data needed to assess vulnerabilities, organizations typically need to combine this with threat intelligence, business impact analysis, and likelihood assessments from other sources to fully determine risk.
ID.RA-6	Risk responses are identified and prioritized	N/A	Indirect	Can help prioritize risk responses by identifying which assets are most vulnerable and require immediate attention. However, determining the specific risk responses and prioritization is generally part of a broader risk management strategy that involves additional context, such as business impact and threat intelligence.

Risk Management Strategy (ID.RM)

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

Requirement		Reference	Support	How runZero Helps
ID.RM-1	Risk management processes are established, managed, and agreed to by organizational stakeholders	N/A	Indirect	Provides critical data that feeds into the risk management process by identifying and documenting vulnerabilities across organizational assets. This data is essential for risk assessments and informs the overall risk management strategy. However, the establishment, management, and agreement on risk management processes involve broader organizational governance and stakeholder involvement, which are beyond runZero's direct functionality.
ID.RM-2	Organizational risk tolerance is determined and clearly expressed	N/A	Indirect	Helps inform risk tolerance by providing a clear understanding of the vulnerabilities and risks associated with the organization's assets. The visibility it offers into the asset landscape allows organizations to make informed decisions about their risk tolerance based on the current threat landscape. However, the actual determination and expression of risk tolerance are strategic decisions made by organizational leadership.
ID.RM-3	The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis	N/A	Indirect	Contributes to sector-specific risk analysis by providing detailed insights into the organization's assets, including those that are critical to infrastructure. This information can be used to assess how vulnerabilities in critical assets impact the organization’s role in broader infrastructure. However, sector-specific risk analysis and the determination of risk tolerance are part of a broader strategic process that involves external factors and considerations beyond the scope of runZero.

Security Continuous Monitoring (DE.CM)

The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

Requirement		Reference	Support	How runZero Helps
DE.CM-1	The network is monitored to detect potential cybersecurity events	3.13.1 3.14.6 3.14.7	Indirect	Provides comprehensive visibility into the network by identifying all connected devices and mapping network communications. While runZero itself is not a network monitoring tool, it supports network monitoring efforts by ensuring that all assets are accounted for, enabling effective monitoring. The actual detection of cybersecurity events would typically be handled by dedicated network monitoring or SIEM tools.
DE.CM-3	Personnel activity is monitored to detect potential cybersecurity events	3.1.12 3.3.1 3.3.2 3.4.9	Indirect	Does not directly monitor personnel activity. However, it provides visibility into the assets and systems that personnel may interact with, which can be useful for correlating with personnel activity logs managed by other tools, such as SIEMs or user behavior analytics (UBA) systems.
DE.CM-6	External service provider activity is monitored to detect potential cybersecurity events	3.14.6 3.14.7	Indirect	Can help identify and track external systems and service providers connected to the organization's network, providing the necessary visibility to monitor their activities. However, the actual monitoring of these activities for cybersecurity events would be managed by other tools designed for external activity monitoring and analysis.
DE.CM-7	Monitoring for unauthorized personnel, connections, devices, and software is performed	3.1.12 3.3.1 3.10.2 3.10.3 3.14.6 3.14.7	Direct	Continuously monitors the network to detect any unauthorized devices or connections Identifies unauthorized software installations within the network Regularly scans and updates the asset inventory to quickly identify unauthorized additions Helps organizations take immediate action when unauthorized activities are detected, ensuring security measures are enforced
DE.CM-8	Vulnerability scans are performed	3.11.2	Direct	Performs ongoing discovery of all devices and systems within the organization Identifies vulnerabilities across the network, ensuring all assets are assessed for risks Ensures vulnerability scans remain current, helping to detect and mitigate potential threats promptly Supports comprehensive risk management by identifying and addressing vulnerabilities in real time

Supply Chain Risk Management (ID.SC)

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

Requirement		Reference	Support	How runZero Helps
ID.SC-1	Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders	N/A	Indirect	Can help identify and assess the risks associated with assets within the organization’s supply chain by providing detailed visibility into all connected devices and systems. However, the broader processes of establishing, managing, and gaining agreement on cyber supply chain risk management are typically handled through organizational governance and strategic processes, which are beyond runZero's direct functionality.
ID.SC-2	Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process	N/A	Indirect	Can assist in identifying and assessing third-party assets and systems connected to the organization’s network. It provides detailed inventories and can help prioritize risks based on the criticality of these assets. However, the overall assessment process, especially for external partners, typically involves additional factors such as contractual agreements, compliance checks, and third-party risk assessments that go beyond runZero’s direct scope.
ID.SC-4	Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations	N/A	Indirect	Can support ongoing assessments by providing continuous monitoring and visibility into third-party systems and devices that are part of the organization’s network. This data can be used as part of broader audit and evaluation processes, but the actual execution of audits and the interpretation of test results are typically managed through other tools and processes.