GV — Govern
The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored
GV.OC Organizational Context
The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood
GV.OV Oversight
Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy
GV.PO Policy
Organizational cybersecurity policy is established, communicated, and enforced
GV.RM Risk Management Strategy
The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions
GV.RR Roles, Responsibilities, and Authorities
Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated
GV.SC Cybersecurity Supply Chain Risk Management
Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).