NIST CSF 2.0 · All Functions · GV Govern · GV.PO Policy

GV.PO-01

Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced

Implementation examples

Ex1: Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction
Ex2: Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy
Ex3: Require approval from senior management on policy
Ex4: Communicate cybersecurity risk management policy and supporting processes and procedures across the organization
Ex5: Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated

Mapped NIST 800-53 r5 controls (20)

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PM-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1426→P

All informative references (107)

BXAIOS: Chapter 3 - The Charter (POP Framework)
CCMv4.0: A&A-01
CCMv4.0: AIS-01
CCMv4.0: BCR-01
CCMv4.0: CCC-01
CCMv4.0: CEK-01
CCMv4.0: DCS-01
CCMv4.0: DCS-02
CCMv4.0: DCS-03
CCMv4.0: DCS-04
CCMv4.0: DSP-01
CCMv4.0: GRC-01
CCMv4.0: HRS-01
CCMv4.0: HRS-02
CCMv4.0: HRS-03
CCMv4.0: HRS-04
CCMv4.0: HRS-09
CCMv4.0: IAM-01
CCMv4.0: IAM-02
CCMv4.0: IPY-01
CCMv4.0: IVS-01
CCMv4.0: LOG-01
CCMv4.0: SEF-01
CCMv4.0: SEF-02
CCMv4.0: STA-01
CCMv4.0: TVM-01
CCMv4.0: TVM-02
CCMv4.0: UEM-01
CCMv4.0: UEM-05
CRI Profile v2.0: GV.PO-01
CRI Profile v2.0: GV.PO-01.01
CRI Profile v2.0: GV.PO-01.02
CRI Profile v2.0: GV.PO-01.03
CRI Profile v2.0: GV.PO-01.04
CRI Profile v2.0: GV.PO-01.05
CRI Profile v2.0: GV.PO-01.06
CRI Profile v2.0: GV.PO-01.07
CRI Profile v2.0: GV.PO-01.08
CSF v1.1: ID.GV-1
CoP: C2
CoP: C2
Guardian-SDK: GS-CF-01
IRP: IRP-Sec-5
IRP: IRP-Sec-5
IRP: IRP-Sec-5
ISO/IEC 27001:2022: Mandatory Clause: 5.2
ISO/IEC 27001:2022: Annex A Controls: 5.1
NICE Framework: IO-WRL-003
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
OWASP Top 10 LLM Applications: LLM02-2025
OWASP Top 10 LLM Applications: LLM06-2025
PCI DSS: 12.1.1
PCI DSS: 12.6.1
PCI DSS: 12.1.4
PCI DSS: 12.1.2
PCI DSS: 12.1.3
SCF: GOV-02
SCF: HRS-07
SDOS: SDOS-GV-01
SDOS: SDOS-GV-03
SDOS: SDOS-GV-04
SDOS: SDOS-GV-05
SP 800-171 Rev 3: 03.15.01
SP 800-221A: GV.PO-1
SP 800-53 Rev 5.1.1: AC-01
SP 800-53 Rev 5.1.1: AT-01
SP 800-53 Rev 5.1.1: AU-01
SP 800-53 Rev 5.1.1: CA-01
SP 800-53 Rev 5.1.1: CM-01
SP 800-53 Rev 5.1.1: CP-01
SP 800-53 Rev 5.1.1: IA-01
SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.2.0: AC-01
SP 800-53 Rev 5.2.0: AT-01
SP 800-53 Rev 5.2.0: AU-01
SP 800-53 Rev 5.2.0: CA-01
SP 800-53 Rev 5.2.0: CM-01
SP 800-53 Rev 5.2.0: CP-01
SP 800-53 Rev 5.2.0: IA-01
SP 800-53 Rev 5.2.0: IR-01
SP 800-53 Rev 5.2.0: MA-01
SP 800-53 Rev 5.2.0: MP-01
SP 800-53 Rev 5.2.0: PE-01
SP 800-53 Rev 5.2.0: PL-01
SP 800-53 Rev 5.2.0: PM-01
SP 800-53 Rev 5.2.0: PS-01
SP 800-53 Rev 5.2.0: PT-01
SP 800-53 Rev 5.2.0: RA-01
SP 800-53 Rev 5.2.0: SA-01
SP 800-53 Rev 5.2.0: SC-01
SP 800-53 Rev 5.2.0: SI-01
SP 800-53 Rev 5.2.0: SR-01
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).