GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
Implementation examples
- Ex1: Document risk management roles and responsibilities in policy
- Ex2: Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed
- Ex3: Include cybersecurity responsibilities and performance requirements in personnel descriptions
- Ex4: Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
- Ex5: Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions
Mapped NIST 800-53 r5 controls (6)
All informative references (71)
- CCMv4.0: CEK-02
- CCMv4.0: GRC-06
- CCMv4.0: HRS-02
- CCMv4.0: HRS-03
- CCMv4.0: HRS-06
- CCMv4.0: HRS-08
- CCMv4.0: HRS-09
- CCMv4.0: HRS-13
- CCMv4.0: SEF-08
- CCMv4.0: STA-02
- CCMv4.0: STA-04
- CCMv4.0: UEM-14
- CIS Controls v8.0: 14.9
- CIS Controls v8.1: 14.9
- CRI Profile v2.0: GV.RR-02
- CRI Profile v2.0: GV.RR-02.01
- CRI Profile v2.0: GV.RR-02.02
- CRI Profile v2.0: GV.RR-02.03
- CRI Profile v2.0: GV.RR-02.04
- CRI Profile v2.0: GV.RR-02.05
- CRI Profile v2.0: GV.RR-02.06
- CRI Profile v2.0: GV.RR-02.07
- CSF v1.1: ID.AM-6
- CSF v1.1: ID.GV-2
- CSF v1.1: DE.DP-1
- CoP: B4
- CoP: E1
- CoP: E2
- ISO/IEC 27001:2022: Mandatory Clause: 7.2
- ISO/IEC 27001:2022: Annex A Controls: None
- NICE Framework: OG-WRL-002
- NICE Framework: OG-WRL-003
- NICE Framework: OG-WRL-007
- NICE Framework: OG-WRL-010
- OWASP Top 10 LLM Applications: LLM06-2025
- PCI DSS: 1.1.2
- PCI DSS: 2.1.2
- PCI DSS: 3.1.2
- PCI DSS: 4.1.2
- PCI DSS: 5.1.2
- PCI DSS: 6.1.2
- PCI DSS: 7.1.2
- PCI DSS: 8.1.2
- PCI DSS: 9.1.2
- PCI DSS: 10.1.2
- PCI DSS: 11.1.2
- PCI DSS: 12.1.3
- SCF: GOV-04
- SCF: HRS-02
- SCF: HRS-03
- SCF: TPM-05.4
- SDOS: SDOS-AD-01
- SDOS: SDOS-EN-02
- SDOS: SDOS-GV-01
- SP 800-221A: GV.RR-1
- SP 800-221A: GV.RR-2
- SP 800-221A: GV.OV-2
- SP 800-53 Rev 5.1.1: PM-02
- SP 800-53 Rev 5.1.1: PM-13
- SP 800-53 Rev 5.1.1: PM-19
- SP 800-53 Rev 5.1.1: PM-23
- SP 800-53 Rev 5.1.1: PM-24
- SP 800-53 Rev 5.1.1: PM-29
- SP 800-53 Rev 5.2.0: PM-02
- SP 800-53 Rev 5.2.0: PM-13
- SP 800-53 Rev 5.2.0: PM-19
- SP 800-53 Rev 5.2.0: PM-23
- SP 800-53 Rev 5.2.0: PM-24
- SP 800-53 Rev 5.2.0: PM-29
- SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-1 Risk Management Roles
- SSDF: PO.2.1
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).