An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
Share This Page:
The Cybersecurity Supervision Work Program (CSW) provides high-level examination procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. Users can filter and search for procedures by using the CSW Cross-References table on this page. The procedures are cross-referenced to common industry cybersecurity frameworks. Learn more about the OCC’s cybersecurity supervision.
The CSW is a component of the OCC’s risk-based bank information technology supervision process. The CSW sets no new regulatory expectations, and national banks and federal savings associations are not expected to use this work program to assess cybersecurity preparedness.
Use the filters below to see a table of CSW procedures and the cross-references or click search without applying filters to view all data. Learn more about CSW Cross-References.
Function:
Category:
Procedure:
Unique ID:
Identify /
IT Asset Management /
ID.AM-1.AI
ID.AM-2.SI
ID.AM-3.DF
ID.AM-4.EC
ID.AM-5.DM
ID.AM-5.DI
Business Environment /
ID.BE-1.SC
ID.BE-2.FS
ID.BE-4.CR
ID.BE-5.RR
Governance /
ID.GV-2.CR
ID.GV-3.LR
ID.GV-4.CR
ID.GV-4.AS
ID.GV-4.PT
Risk Assessment /
ID.RA-2.CT
Information Security Booklet
Business Continuity Management Booklet
ID.RA-5.CR
ID.RA-6.RR
Risk Management Strategy /
ID.RM-1.RM
ID.RM-2.RT
ID.RM-3.CI
Supply Chain Risk Management /
ID.SC-1.TP
OCC Bulletin 2023-17
OCC Bulletin 2021-40
OCC Bulletin 2017-43
OCC Bulletin 2017-7
Detect /
Anomalies and Events /
DE.AE-1.NB
DE.AE-1.NA
DE.AE-1.BC
DE.AE-2.EI
DE.AE-2.AP
DE.AE-3.AR
DE.AE-3.TC
DE.AE-4.EI
DE.AE-5.IT
Security Continuous Monitoring /
DE.CM-1.NM
DE.CM-1.NS
OCC Comptroller’s Handbook: Community Bank Supervision
DE.CM-2.PA
Architecture, Infrastructure, and Operations Booklet
DE.CM-4.AA
DE.CM-5.UM
DE.CM-7.ST
DE.CM-8.VS
Detection Processes /
DE.DP-2.ED
DE.DP-3.ET
Respond /
Response Planning /
RS.RP-1.RE
Communications/
RS.CO-3.IS
Analysis /
Mitigation /
Improvements /
Recover /
Recovery Planning /
RC.RP-1.RP
Improvements/
RC.IM-1.RU
Communication/
Protect /
Identity Management, Authentication and Access Control /
PR.AC-1.AM
PR.AC-4.EP
PR.AC-5.NS
Awareness and Training /
Data Security /
Information Protection Processes and Procedures /
Maintenance /
Architecture, Infrastructure, Operations Booklet
Protective Technology /
12 CFR 30 Appendix B (GLBA): II Standards for information security (B 4)
Specialty Area /
Secure Software Development /
SA.SD-1.DG
The CSW Cross-References table above offers several columns of information. Select the sections below to learn more about what is displayed under each column.
The CSW is structured according to the five National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) functions’ 23 categories. The OCC developed an additional function, Specialty Areas, to address areas of risk that support OCC cybersecurity assessments, where applicable.
The figure below shows how NIST aligns the categories under each function. The OCC developed Specialty Areas that are not included in this figure.
The CSW does not include NIST-CSF subcategories that are addressed as part of other examination programs or subcategories that do not apply to the OCC bank information technology supervision process.
The unique ID identifies the procedure and its hierarchy. Unique IDs are structured using a hierarchy of NIST-CSF functions, categories, and subcategories. The OCC added two characters at the end to designate the specific procedure. See the figure pictured below.
During supervisory activities, examiners use the procedures to guide their reviews and evaluations of cybersecurity preparedness.
The table provides cross-references that map CSW procedures to existing supervisory guidance and industry frameworks. The cross-references are provided for informational purposes only; inclusion of products, processes, services, manufacturers, or companies in the CSW is not indicative of an OCC endorsement.