🖲️Community Profile

CSF Element

CSF Element Description

Priority

Recommendations, Considerations, Notes

GV (Govern)

The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

Low

-

GV.OC (Organizational Context)

The circumstances—mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements—surrounding the organization’s cybersecurity risk management decisions are understood.

Low

-

GV.OC-01

The organizational mission is understood and informs cybersecurity risk management.

Low

-

GV.OC-02

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered.

Low

-

GV.OC-03

Legal, regulatory, and contractual requirements regarding cybersecurity—including privacy and civil liberties obligations—are understood and managed.

Medium

R1: Include requirements for incident notifications, data breach reporting, and other aspects of incident response.

GV.OC-04

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated.

Medium

N1: Understanding critical external dependencies can aid in prioritizing response and recovery efforts.

GV.OC-05

Outcomes, capabilities, and services that the organization depends on are understood and communicated.

Medium

N1: Understanding critical dependencies on external resources (e.g., cloud-based hosting providers) can aid response and recovery.

GV.RM (Risk Management Strategy)

The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.

Low

-

GV.RM-01

Risk management objectives are established and agreed to by organizational stakeholders.

Low

-

GV.RM-02

Risk appetite and risk tolerance statements are established, communicated, and maintained.

Low

-

GV.RM-03

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes.

Medium

R1: Ensure incident-related decisions are informed by other types of risks (e.g., privacy, operational, safety, AI).

GV.RM-04

Strategic direction that describes appropriate risk response options is established and communicated.

Low

-

GV.RM-05

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties.

Low

-

GV.RM-06

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated.

Medium

N1: Standardized methods aid response efforts and compare impacts of incidents. N2: Use such methods to establish criteria and inform decisions.

GV.RM-07

Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions.

Low

-

GV.RR (Roles, Responsibilities, and Authorities)

Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.

Medium

R1: Cybersecurity roles, responsibilities, and authorities should include incident response.

GV.RR-01

Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving.

Medium

R1: See the recommendation for GV.RR.

GV.RR-02

Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced.

Medium

N1: Roles and responsibilities for incident response include internal and third-party participants. R1: Document roles in policies. R2: Designate authority for responsibilities. R3: See GV.RR recommendation.

GV.RR-03

Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies.

Low

-

GV.RR-04

Cybersecurity is included in human resources practices.

Low

-

GV.PO (Policy)

Organizational cybersecurity policy is established, communicated, and enforced.

High

R1: Cybersecurity policies should include an incident response policy.

GV.PO-01

Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced.

Low

-

GV.PO-02

Policy for managing cybersecurity risks is reviewed. updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

Low

-

GV.OV (Oversight)

Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy

Low

GV.OV-01

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction

Medium

R1: Take past cybersecurity incidents into account when adjusting the organization’s cybersecurity risk management strategy and direction.

GV.OV-02

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Medium

R1: Take risks from past cybersecurity incidents into account when reviewing the organization’s cybersecurity risk management strategy.

GV.OV-03

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

Low

GV.SC (Cybersecurity Supply Chain Risk Management)

Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

Low

GV.SC-01

A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

Low