NIST CSF 2.0 · All Functions · GV Govern · GV.OC Organizational Context

GV.OC-02

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Implementation examples

Ex1: Identify relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees)
Ex2: Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society)

Mapped NIST 800-53 r5 controls (7)

PM-09 PM-18 PM-30 SR-03 SR-05 SR-06 SR-08

All informative references (58)

CCMv4.0: STA-08
CCMv4.0: STA-13
CRI Profile v2.0: GV.OC-02
CRI Profile v2.0: GV.OC-02.01
CRI Profile v2.0: GV.OC-02.02
CRI Profile v2.0: GV.OC-02.03
CSF v1.1: ID.SC-2
CSF v1.1: ID.GV-2
CoP: A1
CoP: E2
CoP: E3
ISO/IEC 27001:2022: Mandatory Clause: 4.1
ISO/IEC 27001:2022: Mandatory Clause: 4.2
ISO/IEC 27001:2022: Mandatory Clause: 4.4
ISO/IEC 27001:2022: Mandatory Clause: 6.1
ISO/IEC 27001:2022: Mandatory Clause: 8.1
ISO/IEC 27001:2022: Mandatory Clause: 8.2
ISO/IEC 27001:2022: Mandatory Clause: 8.3
ISO/IEC 27001:2022: Annex A Controls:
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-006
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
NICE Framework: OG-WRL-014
OWASP Top 10 LLM Applications: LLM02-2025
OWASP Top 10 LLM Applications: LLM09-2025
PCI DSS: 12.8.1
PCI DSS: 12.8.5
PCI DSS: 12.9.1
PCI DSS: 12.9.2
PCI DSS: 12.1.4
SCF: TPM-05
SCF: TPM-05.4
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.17.02
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.OV-2
SP 800-221A: GV.CT-2
SP 800-221A: GV.CT-3
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-18
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.1.1: SR-08
SP 800-53 Rev 5.2.0: PM-09
SP 800-53 Rev 5.2.0: PM-18
SP 800-53 Rev 5.2.0: PM-30
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-05
SP 800-53 Rev 5.2.0: SR-06
SP 800-53 Rev 5.2.0: SR-08
SP-800-37 Rev 2: RMF Prepare Step - Organization and Mission/Business Level - Task P-1: Risk Management Roles
SP-800-37 Rev 2: RMF Prepare Step - Organization and Mission/Business Level - Task P-3: Risk Assessment - Organizat
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-9 System Stakeholders
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-15 Requirements Definition
SSDF: PO.2.1

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).