NIST CSF 2.0 · All Functions · GV Govern · GV.RM Risk Management Strategy

GV.RM-06

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Implementation examples

Ex1: Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas
Ex2: Create and use templates (e.g., a risk register) to document cybersecurity risk information (e.g., risk description, exposure, treatment, and ownership)
Ex3: Establish criteria for risk prioritization at the appropriate levels within the enterprise
Ex4: Use a consistent list of risk categories to support integrating, aggregating, and comparing cybersecurity risks

Mapped NIST 800-53 r5 controls (5)

PM-09 PM-18 PM-28 PM-30 RA-03

All informative references (58)

CCMv4.0: GRC-02
CCMv4.0: TVM-08
CCMv4.0: IVS-08
CRI Profile v2.0: GV.RM-06
CRI Profile v2.0: GV.RM-06.01
CSF v1.1: ID.RM-1
IRP: IRP-Sec-2
IRP: IRP-Sec-2
IRP: IRP-Sec-2
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Annex A Controls: 5.1
NICE Framework: DD-WRL-006
NICE Framework: IO-WRL-003
NICE Framework: IO-WRL-006
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-013
NICE Framework: OG-WRL-014
NICE Framework: OG-WRL-015
PCI DSS: 12.3.1
PCI DSS: 12.3.2
PCI DSS: 10.4.2.1
PCI DSS: 11.3.1.1
PCI DSS: 11.6.1
PCI DSS: 12.10.4.1
PCI DSS: 5.2.3.1
PCI DSS: 5.3.2.1
PCI DSS: 7.2.5.1
PCI DSS: 8.6.3
PCI DSS: 6.3.1
PCI DSS: 6.3.3
PCI DSS: 9.5.1.2.1
PCI DSS: 12.3.4
PCI DSS: 12.3.3
PCI DSS: 12.8.3
SCF: RSK-01
SCF: RSK-01.1
SCF: RSK-04
SDOS: SDOS-AU-01
SDOS: SDOS-RM-01
SDOS: SDOS-RM-02
SP 800-171 Rev 3: 03.11.01
SP 800-221A: GV.RR-2
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-18
SP 800-53 Rev 5.1.1: PM-28
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.2.0: PM-09
SP 800-53 Rev 5.2.0: PM-18
SP 800-53 Rev 5.2.0: PM-28
SP 800-53 Rev 5.2.0: PM-30
SP 800-53 Rev 5.2.0: RA-03
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).