GV.RR-03
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
Implementation examples
- Ex1: Conduct periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority
- Ex2: Identify resource allocation and investment in line with risk tolerance and response
- Ex3: Provide adequate and sufficient people, process, and technical resources to support the cybersecurity strategy
Mapped NIST 800-53 r5 controls (1)
All informative references (25)
- CRI Profile v2.0: GV.RR-03
- CRI Profile v2.0: GV.RR-03.01
- CRI Profile v2.0: GV.RR-03.02
- CRI Profile v2.0: GV.RR-03.03
- CSF v1.1: ID.RM-1
- CoP: B3
- IRP: IRP-Sec-4
- IRP: IRP-Sec-4
- IRP: IRP-Sec-4
- ISO/IEC 27001:2022: Mandatory Clause: 7.1, 7.2
- ISO/IEC 27001:2022: Annex A Controls:
- NICE Framework: OG-WRL-002
- NICE Framework: OG-WRL-003
- NICE Framework: OG-WRL-007
- NICE Framework: OG-WRL-010
- PCI DSS: 12.1.4
- PCI DSS: 12.10.3
- SCF: PRM-01
- SCF: PRM-02
- SCF: PRM-03
- SP 800-221A: GV.RR-2
- SP 800-53 Rev 5.1.1: PM-03
- SP 800-53 Rev 5.2.0: PM-03
- SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-1 Risk Management Roles
- SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).