NIST CSF 2.0 · All Functions · GV Govern · GV.OV Oversight

GV.OV-03

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

Implementation examples

Ex1: Review key performance indicators (KPIs) to ensure that organization-wide policies and procedures achieve objectives
Ex2: Review key risk indicators (KRIs) to identify risks the organization faces, including likelihood and potential impact
Ex3: Collect and communicate metrics on cybersecurity risk management with senior leadership

Mapped NIST 800-53 r5 controls (4)

All informative references (44)

CCMv4.0: AIS-03
CRI Profile v2.0: GV.OV-03
CRI Profile v2.0: GV.OV-03.01
CRI Profile v2.0: GV.OV-03.02
CoP: E1
ISO/IEC 27001:2022: Mandatory Clause: 9.1
ISO/IEC 27001:2022: Annex A Controls: 5.1
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-003
NICE Framework: OG-WRL-007
PCI DSS: 12.4.2
PCI DSS: 10.7.2
PCI DSS: 7.2.5.1
PCI DSS: 11.3.1
PCI DSS: 11.3.2
PCI DSS: 11.4.4
PCI DSS: 12.3.1
PCI DSS: 12.3.4
SCF: GOV-05
SCF: RSK-01
SDOS: SDOS-AU-01
SDOS: SDOS-AU-02
SDOS: SDOS-RS-01
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.11.04
SP 800-221A: GV.OV-2
SP 800-221A: MA.RM-2
SP 800-53 Rev 5.1.1: PM-04
SP 800-53 Rev 5.1.1: PM-06
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.2.0: PM-04
SP 800-53 Rev 5.2.0: PM-06
SP 800-53 Rev 5.2.0: RA-07
SP 800-53 Rev 5.2.0: SR-06
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-14 Risk Assessment—System
SP-800-37 Rev 2: RMF Authorize Step: TASK R-3 Risk Response
SP-800-37 Rev 2: RMF Monitor Step: TASK M-2 Ongoing Assessments
SP-800-37 Rev 2: RMF Monitor Step: TASK M-3 Ongoing Risk Response

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).