GOVERN
NIST CSF 2.0 GOVERN function — categories and subcategories.
Organizational Context
The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood
GV.OC-01
The organizational mission is understood and informs cybersecurity risk management
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed
GV.OC-04
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
Oversight
Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy
GV.OV-01
Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
GV.OV-02
The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
GV.OV-03
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
Policy
Organizational cybersecurity policy is established, communicated, and enforced
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
GV.PO-02
Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
Risk Management Strategy
The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions
GV.RM-01
Risk management objectives are established and agreed to by organizational stakeholders
GV.RM-02
Risk appetite and risk tolerance statements are established, communicated, and maintained
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
GV.RM-05
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
Roles, Responsibilities, and Authorities
Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated
GV.RR-01
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
GV.RR-03
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
GV.RR-04
Cybersecurity is included in human resources practices
Cybersecurity Supply Chain Risk Management
Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders
GV.SC-01
A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
GV.SC-02
Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
GV.SC-03
Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
GV.SC-04
Suppliers are known and prioritized by criticality
GV.SC-05
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
GV.SC-06
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
GV.SC-07
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
GV.SC-08
Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
GV.SC-09
Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
GV.SC-10
Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement