The cybersecurity program strategy identifies standards and guidelines intended to be followed by the program
Context and Guidance: Standards or guidelines are identified to inform the implementation of practices in the cybersecurity program that will have implications for activities in all C2M2 domains. These may simply be the reference sources the organisation consulted when developing the plan for performing the practices. They should include any standards or guidelines required by policy. If the organisation is using C2M2 to guide its cybersecurity program activities, C2M2 could be one of the guidelines identified in the program strategy. Other examples of standards and guidelines are • National Institute of Standards and Technology (NIST) SP 800 guidelines such as 800-53, 800-124, 800-61, 800-82, 800-30 • NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) • Zero trust security models (for example, NIST SP 800-207) • the Center for Internet Security (CIS) Critical Security Controls • Control Objectives for Information and Related Technologies (COBIT) • International Organisation for Standardisation (ISO) • DOE Cybersecurity Procurement Language for Energy Delivery Systems
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-1a, PROGRAM-1b, PROGRAM-1c, PROGRAM-1d, PROGRAM-1e, PROGRAM-1f, PROGRAM-1g, PROGRAM-1h.