GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Implementation examples
- Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety)
- Ex2: Include cybersecurity risk managers in enterprise risk management planning
- Ex3: Establish criteria for escalating cybersecurity risks within enterprise risk management
Mapped NIST 800-53 r5 controls (6)
All informative references (52)
- CCMv4.0: GRC-02
- CCMv4.0: A&A-03
- CRI Profile v2.0: GV.RM-03
- CRI Profile v2.0: GV.RM-03.01
- CRI Profile v2.0: GV.RM-03.02
- CRI Profile v2.0: GV.RM-03.03
- CRI Profile v2.0: GV.RM-03.04
- CSF v1.1: ID.GV-4
- CoP: A2
- ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
- ISO/IEC 27001:2022: Annex A Controls: 5.1
- NICE Framework: DD-WRL-002
- NICE Framework: OG-WRL-002
- NICE Framework: OG-WRL-006
- NICE Framework: OG-WRL-007
- NICE Framework: OG-WRL-008
- NICE Framework: OG-WRL-010
- NICE Framework: OG-WRL-011
- NICE Framework: OG-WRL-015
- PCI DSS: 12.5.3
- PCI DSS: 10.4.2.1
- PCI DSS: 11.3.1.1
- PCI DSS: 11.6.1
- PCI DSS: 12.10.4.1
- PCI DSS: 5.2.3.1
- PCI DSS: 5.3.2.1
- PCI DSS: 7.2.5.1
- PCI DSS: 8.6.3
- PCI DSS: 6.3.1
- PCI DSS: 6.3.3
- PCI DSS: 9.5.1.2.1
- PCI DSS: 12.3.4
- PCI DSS: 12.3.3
- PCI DSS: 12.8.3
- SCF: GOV-01
- SCF: RSK-01
- SP 800-171 Rev 3: 03.11.04
- SP 800-171 Rev 3: 03.17.01
- SP 800-221A: GV.PO-2
- SP 800-221A: GV.PO-3
- SP 800-53 Rev 5.1.1: PM-03
- SP 800-53 Rev 5.1.1: PM-09
- SP 800-53 Rev 5.1.1: PM-30
- SP 800-53 Rev 5.1.1: RA-07
- SP 800-53 Rev 5.1.1: SR-02
- SP 800-53 Rev 5.2.0: PM-03
- SP 800-53 Rev 5.2.0: PM-09
- SP 800-53 Rev 5.2.0: PM-30
- SP 800-53 Rev 5.2.0: RA-07
- SP 800-53 Rev 5.2.0: SA-24
- SP 800-53 Rev 5.2.0: SR-02
- SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).