NIST CSF 2.0 · All Functions · GV Govern · GV.OC Organizational Context

GV.OC-04

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Implementation examples

Ex1: Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders
Ex2: Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations
Ex3: Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation)

Mapped NIST 800-53 r5 controls (5)

CP-02(08)PM-08 PM-11 PM-30(01)RA-09

All informative references (44)

CCMv4.0: BCR-01
CCMv4.0: BCR-02
CCMv4.0: BCR-03
CCMv4.0: BCR-11
CCMv4.0: IVS-02
CCMv4.0: STA-05
CRI Profile v2.0: GV.OC-04
CRI Profile v2.0: GV.OC-04.01
CRI Profile v2.0: GV.OC-04.02
CRI Profile v2.0: GV.OC-04.03
CRI Profile v2.0: GV.OC-04.04
CSF v1.1: ID.BE-4
CSF v1.1: ID.BE-5
CoP: A1
ISO/IEC 27001:2022: Mandatory Clause: 4.2(a)
ISO/IEC 27001:2022: Mandatory Clause: 4.2(b)
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.31
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-006
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
NICE Framework: OG-WRL-014
OWASP Top 10 LLM Applications: LLM09-2025
OWASP Top 10 LLM Applications: LLM10-2025
PCI DSS: 12.10.1
PCI DSS: 12.5.2
PCI DSS: 12.5.1
SCF: BCD-02
SCF: TPM-02
SP 800-221A: MA.RI-1
SP 800-53 Rev 5.1.1: PM-08
SP 800-53 Rev 5.1.1: PM-11
SP 800-53 Rev 5.1.1: CP-02(08)
SP 800-53 Rev 5.1.1: PM-30(01)
SP 800-53 Rev 5.1.1: RA-09
SP 800-53 Rev 5.2.0: PM-08
SP 800-53 Rev 5.2.0: PM-11
SP 800-53 Rev 5.2.0: CP-02(08)
SP 800-53 Rev 5.2.0: PM-30(01)
SP 800-53 Rev 5.2.0: RA-09
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-8 Mission or Business Focus
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-9 System Stakeholders

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).