Operational Events Calendar

12-month recurring safeguard activities mapped by frequency. Click any month or day to drill into scheduled activities.

No scheduled activities on this day.

Plus ongoing daily/weekly activities

Activity Types

Review Scan Test Training Assessment Update

January

28
Control 1: Inventory and Control of Enterprise Assets
1.1

Establish and Maintain Detailed Enterprise Asset Inventory

Review · Bi-annually
Control 2: Inventory and Control of Software Assets
2.1

Establish and Maintain a Software Inventory

Review · Bi-annually
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
2.5

Allowlist Authorized Software

Review · Bi-annually
2.6

Allowlist Authorized Libraries

Review · Bi-annually
2.7

Allowlist Authorized Scripts

Review · Bi-annually
Control 5: Account Management
5.1

Establish and Maintain an Inventory of Accounts

Review · Quarterly
5.5

Establish and Maintain an Inventory of Service Accounts

Review · Quarterly
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.5

Perform Automated Vulnerability Scans of Internal Enterprise Assets

Scan · Quarterly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 11: Data Recovery
11.5

Test Data Recovery

Test · Quarterly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly
Control 17: Incident Response Management
17.1

Designate Personnel to Manage Incident Handling

Test · Annually
17.2

Establish and Maintain Contact Information for Reporting Security Incidents

Review · Annually
17.3

Establish and Maintain an Enterprise Process for Reporting Incidents

Review · Annually
17.4

Establish and Maintain an Incident Response Process

Review · Annually
17.5

Assign Key Roles and Responsibilities

Review · Annually
17.6

Define Mechanisms for Communicating During Incident Response

Review · Annually
17.7

Conduct Routine Incident Response Exercises

Test · Annually
17.8

Conduct Post>Incident Reviews

Review · Annually
17.9

Establish and Maintain Security Incident Thresholds

Review · Annually

March

33
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 3: Data Protection
3.1

Establish and Maintain a Data Management Process

Review · Annually
3.10

Encrypt Sensitive Data in Transit

Review · Annually
3.11

Encrypt Sensitive Data at Rest

Review · Annually
3.12

Segment Data Processing and Storage Based on Sensitivity

Review · Annually
3.13

Deploy a Data Loss Prevention Solution

Update · Annually
3.14

Log Sensitive Data Access

Review · Annually
3.2

Establish and Maintain a Data Inventory

Review · Annually
3.3

Configure Data Access Control Lists

Review · Annually
3.4

Enforce Data Retention

Review · Annually
3.5

Securely Dispose of Data

Review · Annually
3.6

Encrypt Data on End>User Devices

Review · Annually
3.7

Establish and Maintain a Data Classification Scheme

Review · Annually
3.8

Document Data Flows

Review · Annually
3.9

Encrypt Data on Removable Media

Review · Annually
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 14: Security Awareness and Skills Training
14.1

Establish and Maintain a Security Awareness Program

Training · Annually
14.2

Train Workforce Members to Recognize Social Engineering Attacks

Training · Annually
14.3

Train Workforce Members on Authentication Best Practices

Training · Annually
14.4

Train Workforce on Data Handling Best Practices

Training · Annually
14.5

Train Workforce Members on Causes of Unintentional Data Exposure

Training · Annually
14.6

Train Workforce Members on Recognizing and Reporting Security Incidents

Training · Annually
14.7

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Training · Annually
14.8

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Training · Annually
14.9

Conduct Role>Specific Security Awareness and Skills Training

Training · Annually
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

April

26
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 4: Secure Configuration of Enterprise Assets and Software
4.1

Establish and Maintain a Secure Configuration Process

Review · Annually
4.10

Enforce Automatic Device Lockout on Portable End>User Devices

Review · Annually
4.11

Enforce Remote Wipe Capability on Portable End>User Devices

Review · Annually
4.12

Separate Enterprise Workspaces on Mobile End>User Devices

Review · Annually
4.2

Establish and Maintain a Secure Configuration Process for Network Infrastructure

Review · Annually
4.3

Configure Automatic Session Locking on Enterprise Assets

Review · Annually
4.4

Implement and Manage a Firewall on Servers

Review · Annually
4.5

Implement and Manage a Firewall on End>User Devices

Review · Annually
4.6

Securely Manage Enterprise Assets and Software

Review · Annually
4.7

Manage Default Accounts on Enterprise Assets and Software

Review · Annually
4.8

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Update · Annually
4.9

Configure Trusted DNS Servers on Enterprise Assets

Review · Annually
Control 5: Account Management
5.1

Establish and Maintain an Inventory of Accounts

Review · Quarterly
5.5

Establish and Maintain an Inventory of Service Accounts

Review · Quarterly
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.5

Perform Automated Vulnerability Scans of Internal Enterprise Assets

Scan · Quarterly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 11: Data Recovery
11.5

Test Data Recovery

Test · Quarterly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

May

21
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 5: Account Management
5.2

Use Unique Passwords

Review · Annually
5.3

Disable Dormant Accounts

Review · Annually
5.4

Restrict Administrator Privileges to Dedicated Administrator Accounts

Review · Annually
5.6

Centralize Account Management

Review · Annually
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 15: Service Provider Management
15.1

Establish and Maintain an Inventory of Service Providers

Review · Annually
15.2

Establish and Maintain a Service Provider Management Policy

Review · Annually
15.3

Classify Service Providers

Review · Annually
15.4

Ensure Service Provider Contracts Include Security Requirements

Review · Annually
15.5

Assess Service Providers

Review · Annually
15.6

Monitor Service Providers

Review · Annually
15.7

Securely Decommission Service Providers

Review · Annually
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

June

18
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 6: Access Control Management
6.1

Establish an Access Granting Process

Review · Annually
6.2

Establish an Access Revoking Process

Review · Annually
6.3

Require MFA for Externally>Exposed Applications

Review · Annually
6.4

Require MFA for Remote Network Access

Review · Annually
6.5

Require MFA for Administrative Access

Review · Annually
6.6

Establish and Maintain an Inventory of Authentication and Authorization Systems

Review · Annually
6.7

Centralize Access Control

Review · Annually
6.8

Define and Maintain Role>Based Access Control

Review · Annually
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

July

23
Control 1: Inventory and Control of Enterprise Assets
1.1

Establish and Maintain Detailed Enterprise Asset Inventory

Review · Bi-annually
Control 2: Inventory and Control of Software Assets
2.1

Establish and Maintain a Software Inventory

Review · Bi-annually
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
2.5

Allowlist Authorized Software

Review · Bi-annually
2.6

Allowlist Authorized Libraries

Review · Bi-annually
2.7

Allowlist Authorized Scripts

Review · Bi-annually
Control 5: Account Management
5.1

Establish and Maintain an Inventory of Accounts

Review · Quarterly
5.5

Establish and Maintain an Inventory of Service Accounts

Review · Quarterly
Control 7: Continuous Vulnerability Management
7.1

Establish and Maintain a Vulnerability Management Process

Review · Annually
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.5

Perform Automated Vulnerability Scans of Internal Enterprise Assets

Scan · Quarterly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 11: Data Recovery
11.1

Establish and Maintain a Data Recovery ProcessĀ 

Test · Annually
11.3

Protect Recovery Data

Test · Annually
11.4

Establish and Maintain an Isolated Instance of Recovery DataĀ 

Test · Annually
11.5

Test Data Recovery

Test · Quarterly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

August

21
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 8: Audit Log Management
8.1

Establish and Maintain an Audit Log Management Process

Review · Annually
8.10

Retain Audit Logs

Review · Annually
8.12

Collect Service Provider Logs

Review · Annually
8.2

Collect Audit Logs

Review · Annually
8.3

Ensure Adequate Audit Log Storage

Review · Annually
8.4

Standardize Time Synchronization

Review · Annually
8.5

Collect Detailed Audit Logs

Review · Annually
8.6

Collect DNS Query Audit Logs

Review · Annually
8.7

Collect URL Request Audit Logs

Review · Annually
8.8

Collect Command>Line Audit Logs

Review · Annually
8.9

Centralize Audit Logs

Review · Annually
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

September

27
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 9: Email and Web Browser Protections
9.1

Ensure Use of Only Fully Supported Browsers and Email Clients

Review · Annually
9.2

Use DNS Filtering Services

Review · Annually
9.3

Maintain and Enforce Network>Based URL Filters

Review · Annually
9.4

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Review · Annually
9.5

Implement DMARC

Review · Annually
9.6

Block Unnecessary File Types

Review · Annually
9.7

Deploy and Maintain Email Server Anti>Malware Protections

Scan · Annually
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.1

Centralize Security Event Alerting

Review · Annually
13.10

Perform Application Layer Filtering

Review · Annually
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
13.2

Deploy a Host>Based Intrusion Detection Solution

Update · Annually
13.3

Deploy a Network Intrusion Detection Solution

Update · Annually
13.4

Perform Traffic Filtering Between Network Segments

Review · Annually
13.5

Manage Access Control for Remote Assets

Review · Annually
13.6

Collect Network Traffic Flow Logs

Review · Annually
13.7

Deploy a Host>Based Intrusion Prevention Solution

Update · Annually
13.8

Deploy a Network Intrusion Prevention Solution

Update · Annually
13.9

Deploy Port>Level Access Control

Update · Annually
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

October

28
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 5: Account Management
5.1

Establish and Maintain an Inventory of Accounts

Review · Quarterly
5.5

Establish and Maintain an Inventory of Service Accounts

Review · Quarterly
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.5

Perform Automated Vulnerability Scans of Internal Enterprise Assets

Scan · Quarterly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 10: Malware Defenses
10.1

Deploy and Maintain Anti>Malware Software

Update · Annually
10.2

Configure Automatic Anti>Malware Signature Updates

Update · Annually
10.3

Disable Autorun and Autoplay for Removable Media

Review · Annually
10.4

Configure Automatic Anti>Malware Scanning of Removable Media

Scan · Annually
10.5

Enable Anti>Exploitation Features

Review · Annually
10.6

Centrally Manage Anti>Malware Software

Review · Annually
10.7

Use Behavior>Based Anti>Malware Software

Review · Annually
Control 11: Data Recovery
11.5

Test Data Recovery

Test · Quarterly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
12.2

Establish and Maintain a Secure Network Architecture

Review · Annually
12.3

Securely Manage Network Infrastructure

Review · Annually
12.4

Establish and Maintain Architecture Diagram(s)

Review · Annually
12.5

Centralize Network Authentication, Authorization, and Auditing (AAA)

Review · Annually
12.6

Use of Secure Network Management and Communication ProtocolsĀ 

Review · Annually
12.7

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Review · Annually
12.8

Establish and Maintain Dedicated Computing Resources for All Administrative Work

Review · Annually
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly

November

23
Control 2: Inventory and Control of Software Assets
2.2

Ensure Authorized Software is Currently Supported

Review · Monthly
2.3

Address Unauthorized Software

Review · Monthly
Control 7: Continuous Vulnerability Management
7.2

Establish and Maintain a Remediation Process

Review · Monthly
7.3

Perform Automated Operating System Patch Management

Update · Monthly
7.4

Perform Automated Application Patch Management

Update · Monthly
7.6

Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets

Scan · Monthly
7.7

Remediate Detected Vulnerabilities

Review · Monthly
Control 12: Network Infrastructure Management
12.1

Ensure Network Infrastructure is Up>to>Date

Review · Monthly
Control 13: Network Monitoring and Defense
13.11

Tune Security Event Alerting Thresholds

Review · Monthly
Control 16: Application Software Security
16.1

Establish and Maintain a Secure Application DevelopmentĀ Process

Training · Annually
16.10

Apply Secure Design Principles in Application Architectures

Review · Annually
16.11

Leverage Vetted Modules or Services for Application Security Components

Review · Annually
16.12

Implement Code>Level Security Checks

Review · Annually
16.13

Conduct Application Penetration Testing

Assessment · Annually
16.14

Conduct Threat Modeling

Assessment · Annually
16.2

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

Review · Annually
16.3

Perform Root Cause Analysis on Security Vulnerabilities

Review · Annually
16.4

Establish and Manage an Inventory of Third>Party Software Components

Review · Monthly
16.5

Use Up>to>Date and Trusted Third>Party Software Components

Review · Annually
16.6

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

Review · Annually
16.7

Use Standard Hardening Configuration Templates for Application Infrastructure

Review · Annually
16.8

Separate Production and Non>Production Systems

Review · Annually
16.9

Train Developers in Application Security Concepts and Secure Coding

Training · Annually
December note: In addition to scheduled activities, December should include year-end review of all control domains, annual policy attestations, and planning for the upcoming operational cycle.