NIST CSF 2.0 · All Functions · GV Govern · GV.OC Organizational Context

GV.OC-05

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Implementation examples

Ex1: Create an inventory of the organization's dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions
Ex2: Identify and document external dependencies that are potential points of failure for the organization's critical capabilities and services, and share that information with appropriate personnel

Mapped NIST 800-53 r5 controls (5)

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357→P

All informative references (46)

CCMv4.0: BCR-11
CCMv4.0: STA-01
CCMv4.0: STA-04
CRI Profile v2.0: GV.OC-05
CRI Profile v2.0: GV.OC-05.01
CRI Profile v2.0: GV.OC-05.02
CRI Profile v2.0: GV.OC-05.03
CRI Profile v2.0: GV.OC-05.04
CSF v1.1: ID.BE-1
CSF v1.1: ID.BE-4
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 5.3
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-006
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
NICE Framework: OG-WRL-014
OWASP Top 10 LLM Applications: LLM03-2025
OWASP Top 10 LLM Applications: LLM10-2025
PCI DSS: 12.8.1
PCI DSS: 12.8.4
PCI DSS: 12.9.1
PCI DSS: 12.9.2
PCI DSS: 1.2.3
PCI DSS: 1.2.4
PCI DSS: 12.5.2
PCI DSS: 12.5.1
SCF: BCD-02
SCF: TPM-02
SP 800-171 Rev 3: 03.11.04
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.02
SP 800-221A: GV.CT-5
SP 800-221A: MA.RI-1
SP 800-53 Rev 5.1.1: PM-11
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.2.0: PM-11
SP 800-53 Rev 5.2.0: PM-30
SP 800-53 Rev 5.2.0: RA-07
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-05
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-8 Mission or Business Focus
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-10 Asset Identification

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).