NIST CSF 2.0 Mapping (Static Site)

Purpose

Map Riksdagsmonitor security controls to NIST Cybersecurity Framework 2.0 functions.

Core Functions

IDENTIFY (ID)

ID.AM - Asset Management

• Repository: Hack23/riksdagsmonitor
• Domain: riksdagsmonitor.com
• Hosting: GitHub Pages CDN
• Content: 14 HTML files, CSS, images

ID.RA - Risk Assessment

• Annual threat modeling (STRIDE)
• Dependency vulnerability scanning
• Security header audits

ID.GV - Governance

• ISMS policies (Hack23 ISMS-PUBLIC)
• Secure Development Policy
• Access control procedures

PROTECT (PR)

PR.AC - Access Control

• GitHub MFA required
• Branch protection enabled
• Required PR reviews

PR.DS - Data Security

• HTTPS-only (TLS 1.3)
• No cookies/tracking
• Public data classification

PR.IP - Protective Technology

• Security headers (CSP, HSTS, X-Frame-Options)
• Dependabot scanning
• Secret scanning enabled

DETECT (DE)

DE.CM - Monitoring

• GitHub audit logs
• Dependabot alerts
• CodeQL scanning

DE.AE - Adverse Events

• Security advisory monitoring
• Failed workflow notifications
• Deployment monitoring

RESPOND (RS)

RS.AN - Analysis

• Incident classification (CRITICAL/HIGH/MEDIUM/LOW)
• Root cause analysis
• Security advisory review

RS.MI - Mitigation

• Rollback via git revert
• PR closure for vulnerabilities
• Emergency deployment procedures

RECOVER (RC)

RC.RP - Recovery Planning

• Git version history (complete backup)
• Repository mirroring
• Deployment rollback

RC.CO - Communications

• Security contact: security@hack23.com
• Status updates via GitHub
• Post-incident reports

Implementation Checklist

• ✅ Asset inventory (ID.AM)
• ✅ Access controls (PR.AC)
• ✅ Monitoring enabled (DE.CM)
• ✅ Incident procedures (RS)
• ✅ Recovery plan (RC)

References

• NIST CSF 2.0: https://www.nist.gov/cyberframework
• SECURITY_ARCHITECTURE.md: Security controls