NIST CSF 2.0 · All Functions · GV Govern · GV.RM Risk Management Strategy

GV.RM-04

Strategic direction that describes appropriate risk response options is established and communicated

Implementation examples

Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data
Ex2: Determine whether to purchase cybersecurity insurance
Ex3: Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services)

Mapped NIST 800-53 r5 controls (4)

Mapped CWE weaknesses (4)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1104→P CWE-1177→P CWE-1357→P CWE-1395→P

All informative references (34)

CCMv4.0: GRC-02
CCMv4.0: BCR-03
CCMv4.0: STA-01
CRI Profile v2.0: GV.RM-04
CRI Profile v2.0: GV.RM-04.01
CSF v1.1: ID.RM-2
CoP: B1
CoP: B2
ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
ISO/IEC 27001:2022: Annex A Controls: 5.1
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
NICE Framework: OG-WRL-015
PCI DSS: 12.10.1
PCI DSS: 12.10.2
PCI DSS: 12.10.6
SCF: RSK-01
SCF: RSK-01.1
SCF: RSK-06.1
SDOS: SDOS-GV-02
SDOS: SDOS-RM-01
SP 800-171 Rev 3: 03.17.01
SP 800-221A: GV.BE-1
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-28
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.2.0: PM-09
SP 800-53 Rev 5.2.0: PM-28
SP 800-53 Rev 5.2.0: PM-30
SP 800-53 Rev 5.2.0: SR-02
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).