Protect
Use safeguards to prevent or reduce cybersecurity risk. The controls, policies, and technical measures that stand between threats and assets.
Build the Walls
Protect is where strategy becomes implementation. The controls you deploy, the access you restrict, the training you deliver, the data you encrypt — all of it lives here. This is the function most people think of when they think “cybersecurity.”
Categories
- PR.AA — Identity Management, Authentication & Access Control — Access to assets is limited to authorized users, services, and hardware, and managed commensurate with risk
- PR.AT — Awareness & Training — Personnel are provided cybersecurity awareness and training so they can perform their duties consistent with security policies
- PR.DS — Data Security — Data is managed consistent with the organization’s risk strategy to protect confidentiality, integrity, and availability
- PR.PS — Platform Security — Hardware, software, and services are managed consistent with the organization’s risk strategy
- PR.IR — Technology Infrastructure Resilience — Security architectures are managed to protect asset confidentiality, integrity, and availability, and organizational resilience
Key Concepts
Identity is the new perimeter. PR.AA is the largest category because in modern architectures, identity and access control is the primary defense. Network perimeters are porous. Zero trust assumes breach and verifies every access request.
Awareness training isn’t checkbox compliance. PR.AT means role-specific, actionable training. Developers need secure coding practices. Finance needs BEC recognition. Executives need social engineering awareness. One annual video doesn’t cut it.
Platform security is hygiene. PR.PS covers patching, configuration management, lifecycle management. The boring stuff that prevents most breaches. Keep it current, keep it hardened, keep it monitored.