NIST CSF 2.0 · All Functions · GV Govern

GV.RM — Risk Management Strategy

The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

GV.RM-01

Risk management objectives are established and agreed to by organizational stakeholders

3 implementation example(s) · 3 mapped NIST 800-53 control(s)

GV.RM-02

Risk appetite and risk tolerance statements are established, communicated, and maintained

3 implementation example(s) · 1 mapped NIST 800-53 control(s)

GV.RM-03

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

3 implementation example(s) · 6 mapped NIST 800-53 control(s)

GV.RM-04

Strategic direction that describes appropriate risk response options is established and communicated

3 implementation example(s) · 4 mapped NIST 800-53 control(s)

GV.RM-05

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

2 implementation example(s) · 2 mapped NIST 800-53 control(s)

GV.RM-06

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

4 implementation example(s) · 5 mapped NIST 800-53 control(s)

GV.RM-07

Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions

3 implementation example(s) · 5 mapped NIST 800-53 control(s)

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).