NIST CSF 2.0 · All Functions · GV Govern · GV.RM Risk Management Strategy

GV.RM-02

Implementation examples

• Ex1: Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization
• Ex2: Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements
• Ex3: Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk

Mapped NIST 800-53 r5 controls (1)

All informative references (36)

• CCMv4.0: GRC-02
• CCMv4.0: BCR-03
• CCMv4.0: IVS-08
• CRI Profile v2.0: GV.RM-02
• CRI Profile v2.0: GV.RM-02.01
• CRI Profile v2.0: GV.RM-02.02
• CRI Profile v2.0: GV.RM-02.03
• CSF v1.1: ID.RM-2
• CSF v1.1: ID.RM-3
• CoP: A3
• Guardian-SDK: GS-CF-01
• IRP: IRP-Sec-5
• IRP: IRP-Sec-5
• IRP: IRP-Sec-5
• ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
• ISO/IEC 27001:2022: Annex A Controls: 5.1
• NICE Framework: DD-WRL-006
• NICE Framework: IO-WRL-003
• NICE Framework: OG-WRL-002
• NICE Framework: OG-WRL-006
• NICE Framework: OG-WRL-007
• NICE Framework: OG-WRL-010
• NICE Framework: OG-WRL-011
• NICE Framework: OG-WRL-013
• NICE Framework: OG-WRL-014
• NICE Framework: OG-WRL-015
• OWASP Top 10 LLM Applications: LLM06-2025
• OWASP Top 10 LLM Applications: LLM09-2025
• SDOS: SDOS-RM-01
• SDOS: SDOS-RM-02
• SDOS: SDOS-RM-03
• SP 800-221A: GV.BE-1
• SP 800-221A: GV.BE-3
• SP 800-53 Rev 5.1.1: PM-09
• SP 800-53 Rev 5.2.0: PM-09
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).