Cybersecurity controls are implemented for all assets within the function either at the asset level or as compensating controls where asset-level controls are not feasible
Context and Guidance: This practice extends the architectural tactics for cybersecurity controls beyond assets that are important to the delivery of the function to include all assets used for the delivery of the function. The practice also requires that cybersecurity controls be implemented at the asset level where feasible. Compensating controls should be implemented in situations where an asset does not support cybersecurity controls at the asset level to sufficiently reduce risk. For example, if an asset does not support encrypted communications, no direct connections should be permitted with the device and all communications should be routed through an intermediary device.
Related Practices • Input From: Implementing ASSET-1f and ASSET-2f provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-3a, ARCHITECTURE-3b, ARCHITECTURE-3c, ARCHITECTURE-3d, ARCHITECTURE-3h, ARCHITECTURE-3k.