NIST CSF 2.0 · All Functions · GV Govern

GV.OC — Organizational Context

The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood

GV.OC-01

The organizational mission is understood and informs cybersecurity risk management

1 implementation example(s) · 1 mapped NIST 800-53 control(s)

GV.OC-02

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

2 implementation example(s) · 7 mapped NIST 800-53 control(s)

GV.OC-03

Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed

3 implementation example(s) · 21 mapped NIST 800-53 control(s)

GV.OC-04

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

3 implementation example(s) · 5 mapped NIST 800-53 control(s)

GV.OC-05

Outcomes, capabilities, and services that the organization depends on are understood and communicated

2 implementation example(s) · 5 mapped NIST 800-53 control(s)

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).