NIST CSF 2.0 · All Functions · GV Govern · GV.OC Organizational Context

GV.OC-03

Implementation examples

• Ex1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals' information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation)
• Ex2: Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information
• Ex3: Align the organization's cybersecurity strategy with legal, regulatory, and contractual requirements

Mapped NIST 800-53 r5 controls (21)

All informative references (109)

• CCMv4.0: CEK-12
• CCMv4.0: CEK-13
• CCMv4.0: CEK-14
• CCMv4.0: CEK-15
• CCMv4.0: CEK-16
• CCMv4.0: CEK-17
• CCMv4.0: CEK-18
• CCMv4.0: CEK-19
• CCMv4.0: CEK-20
• CCMv4.0: CEK-21
• CCMv4.0: DSP-01
• CCMv4.0: DSP-10
• CCMv4.0: DSP-11
• CCMv4.0: DSP-12
• CCMv4.0: DSP-16
• CCMv4.0: DSP-18
• CCMv4.0: GRC-07
• CCMv4.0: HRS-13
• CCMv4.0: STA-05
• CCMv4.0: STA-13
• CRI Profile v2.0: GV.OC-03
• CRI Profile v2.0: GV.OC-03.01
• CRI Profile v2.0: GV.OC-03.02
• CSF v1.1: ID.GV-3
• CoP: A1
• CoP: D3
• CoP: E2
• CoP: E3
• CoP: E4
• CoP: E5
• ISO/IEC 27001:2022: Mandatory Clause: 4.2(a)
• ISO/IEC 27001:2022: Mandatory Clause: 4.2(b)
• ISO/IEC 27001:2022: Annex A Controls: 5.20
• ISO/IEC 27001:2022: Annex A Controls: 5.31
• NICE Framework: OG-WRL-002
• NICE Framework: OG-WRL-006
• NICE Framework: OG-WRL-007
• NICE Framework: OG-WRL-008
• NICE Framework: OG-WRL-010
• OWASP Top 10 LLM Applications: LLM02-2025
• OWASP Top 10 LLM Applications: LLM03-2025
• OWASP Top 10 LLM Applications: LLM09-2025
• PCI DSS: 12.8.2
• PCI DSS: 12.8.4
• PCI DSS: 12.8.5
• PCI DSS: 12.8.1
• PCI DSS: 12.9.1
• PCI DSS: 12.9.2
• PCI DSS: 3.2.1
• PCI DSS: 9.4.6
• PCI DSS: 9.4.7
• SCF: CPL-01
• SCF: CPL-02
• SCF: PRI-01
• SCF: TPM-05
• SCF: TPM-05.2
• SDOS: SDOS-GV-01
• SDOS: SDOS-GV-03
• SDOS: SDOS-GV-05
• SP 800-171 Rev 3: 03.15.01
• SP 800-53 Rev 5.1.1: AC-01
• SP 800-53 Rev 5.1.1: AT-01
• SP 800-53 Rev 5.1.1: AU-01
• SP 800-53 Rev 5.1.1: CA-01
• SP 800-53 Rev 5.1.1: CM-01
• SP 800-53 Rev 5.1.1: CP-01
• SP 800-53 Rev 5.1.1: IA-01
• SP 800-53 Rev 5.1.1: IR-01
• SP 800-53 Rev 5.1.1: MA-01
• SP 800-53 Rev 5.1.1: MP-01
• SP 800-53 Rev 5.1.1: PE-01
• SP 800-53 Rev 5.1.1: PL-01
• SP 800-53 Rev 5.1.1: PM-01
• SP 800-53 Rev 5.1.1: PS-01
• SP 800-53 Rev 5.1.1: PT-01
• SP 800-53 Rev 5.1.1: RA-01
• SP 800-53 Rev 5.1.1: SA-01
• SP 800-53 Rev 5.1.1: SC-01
• SP 800-53 Rev 5.1.1: SI-01
• SP 800-53 Rev 5.1.1: SR-01
• SP 800-53 Rev 5.1.1: PM-28
• SP 800-53 Rev 5.1.1: PT
• SP 800-53 Rev 5.2.0: AC-01
• SP 800-53 Rev 5.2.0: AT-01
• SP 800-53 Rev 5.2.0: AU-01
• SP 800-53 Rev 5.2.0: CA-01
• SP 800-53 Rev 5.2.0: CM-01
• SP 800-53 Rev 5.2.0: CP-01
• SP 800-53 Rev 5.2.0: IA-01
• SP 800-53 Rev 5.2.0: IR-01
• SP 800-53 Rev 5.2.0: MA-01
• SP 800-53 Rev 5.2.0: MP-01
• SP 800-53 Rev 5.2.0: PE-01
• SP 800-53 Rev 5.2.0: PL-01
• SP 800-53 Rev 5.2.0: PM-01
• SP 800-53 Rev 5.2.0: PS-01
• SP 800-53 Rev 5.2.0: PT-01
• SP 800-53 Rev 5.2.0: RA-01
• SP 800-53 Rev 5.2.0: SA-01
• SP 800-53 Rev 5.2.0: SC-01
• SP 800-53 Rev 5.2.0: SI-01
• SP 800-53 Rev 5.2.0: SR-01
• SP 800-53 Rev 5.2.0: PM-28
• SP 800-53 Rev 5.2.0: PT
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
• SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-15 Requirements Definition
• SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-17 Requirements Allocation
• SSDF: PO.1.1
• SSDF: PO.1.2

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).