NIST CSF 2.0 · All Functions · GV Govern · GV.PO Policy

GV.PO-02

Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

Implementation examples

Ex1: Update policy based on periodic reviews of cybersecurity risk management results to ensure that policy and supporting processes and procedures adequately maintain risk at an acceptable level
Ex2: Provide a timeline for reviewing changes to the organization's risk environment (e.g., changes in risk or in the organization's mission objectives), and communicate recommended policy updates
Ex3: Update policy to reflect changes in legal and regulatory requirements
Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial intelligence) and changes to the business (e.g., acquisition of a new business, new contract requirements)

Mapped NIST 800-53 r5 controls (20)

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PM-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01

All informative references (100)

CCMv4.0: A&A-01
CCMv4.0: AIS-01
CCMv4.0: BCR-01
CCMv4.0: CCC-01
CCMv4.0: CEK-01
CCMv4.0: DCS-01
CCMv4.0: DCS-02
CCMv4.0: DCS-03
CCMv4.0: DCS-04
CCMv4.0: DSP-01
CCMv4.0: GRC-01
CCMv4.0: GRC-03
CCMv4.0: HRS-01
CCMv4.0: HRS-02
CCMv4.0: HRS-03
CCMv4.0: HRS-04
CCMv4.0: IAM-01
CCMv4.0: IAM-02
CCMv4.0: IPY-01
CCMv4.0: IVS-01
CCMv4.0: LOG-01
CCMv4.0: SEF-01
CCMv4.0: SEF-02
CCMv4.0: STA-01
CCMv4.0: TVM-01
CCMv4.0: TVM-02
CCMv4.0: UEM-01
CCMv4.0: UEM-05
CRI Profile v2.0: GV.PO-02
CRI Profile v2.0: GV.PO-02.01
CSF v1.1: ID.GV-1
CoP: C2
CoP: E1
ISO/IEC 27001:2022: Mandatory Clause: 5.2
ISO/IEC 27001:2022: Annex A Controls: 5.1
NICE Framework: IO-WRL-003
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
PCI DSS: 12.1.2
PCI DSS: 1.1.1
PCI DSS: 2.1.1
PCI DSS: 3.1.1
PCI DSS: 4.1.1
PCI DSS: 5.1.1
PCI DSS: 6.1.1
PCI DSS: 7.1.1
PCI DSS: 8.1.1
PCI DSS: 9.1.1
PCI DSS: 10.1.1
PCI DSS: 11.1.1
SCF: GOV-03
SCF: HRS-07
SDOS: SDOS-AU-01
SDOS: SDOS-GV-01
SDOS: SDOS-GV-04
SDOS: SDOS-GV-05
SP 800-171 Rev 3: 03.15.01
SP 800-221A: GV.PO-1
SP 800-53 Rev 5.1.1: AC-01
SP 800-53 Rev 5.1.1: AT-01
SP 800-53 Rev 5.1.1: AU-01
SP 800-53 Rev 5.1.1: CA-01
SP 800-53 Rev 5.1.1: CM-01
SP 800-53 Rev 5.1.1: CP-01
SP 800-53 Rev 5.1.1: IA-01
SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.2.0: AC-01
SP 800-53 Rev 5.2.0: AT-01
SP 800-53 Rev 5.2.0: AU-01
SP 800-53 Rev 5.2.0: CA-01
SP 800-53 Rev 5.2.0: CM-01
SP 800-53 Rev 5.2.0: CP-01
SP 800-53 Rev 5.2.0: IA-01
SP 800-53 Rev 5.2.0: IR-01
SP 800-53 Rev 5.2.0: MA-01
SP 800-53 Rev 5.2.0: MP-01
SP 800-53 Rev 5.2.0: PE-01
SP 800-53 Rev 5.2.0: PL-01
SP 800-53 Rev 5.2.0: PM-01
SP 800-53 Rev 5.2.0: PS-01
SP 800-53 Rev 5.2.0: PT-01
SP 800-53 Rev 5.2.0: RA-01
SP 800-53 Rev 5.2.0: SA-01
SP 800-53 Rev 5.2.0: SC-01
SP 800-53 Rev 5.2.0: SI-01
SP 800-53 Rev 5.2.0: SR-01
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).