NIST CSF 2.0 · All Functions · GV Govern · GV.RR Roles, Responsibilities, and Authorities

GV.RR-01

Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving

Implementation examples

Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organization's cybersecurity strategy
Ex2: Share leaders' expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cybersecurity risk management
Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk strategy and review and update it at least annually and after major events
Ex4: Conduct reviews to ensure adequate authority and coordination among those responsible for managing cybersecurity risk

Mapped NIST 800-53 r5 controls (5)

PM-02 PM-19 PM-23 PM-24 PM-29

All informative references (40)

BXAIOS: Chapter 8 - Activate the Champions
CCMv4.0: HRS-09
CCMv4.0: HRS-13
CIS Controls v8.0: 14.1
CIS Controls v8.1: 14.1
CRI Profile v2.0: GV.RR-01
CRI Profile v2.0: GV.RR-01.01
CRI Profile v2.0: GV.RR-01.02
CRI Profile v2.0: GV.RR-01.03
CRI Profile v2.0: GV.RR-01.04
CRI Profile v2.0: GV.RR-01.05
CoP: A2
CoP: C1
CoP: E3
ISO/IEC 27001:2022: Mandatory Clause: 7.2
ISO/IEC 27001:2022: Annex A Controls: 5.4
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-003
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-010
PCI DSS: 12.1.4
PCI DSS: 12.6.1
PCI DSS: 6.2.2
PCI DSS: 12.10.6
PCI DSS: 12.1.3
SCF: GOV-01
SCF: GOV-04
SCF: RSK-01
SP 800-53 Rev 5.1.1: PM-02
SP 800-53 Rev 5.1.1: PM-19
SP 800-53 Rev 5.1.1: PM-23
SP 800-53 Rev 5.1.1: PM-24
SP 800-53 Rev 5.1.1: PM-29
SP 800-53 Rev 5.2.0: PM-02
SP 800-53 Rev 5.2.0: PM-19
SP 800-53 Rev 5.2.0: PM-23
SP 800-53 Rev 5.2.0: PM-24
SP 800-53 Rev 5.2.0: PM-29
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-1 Risk Management Roles
SSDF: PO.2.3

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).