NIST CSF 2.0 · All Functions · GV Govern · GV.RR Roles, Responsibilities, and Authorities

GV.RR-04

Implementation examples

• Ex1: Integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding)
• Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions
• Ex3: Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles
• Ex4: Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles

Mapped NIST 800-53 r5 controls (4)

All informative references (46)

• CCMv4.0: HRS-01
• CCMv4.0: HRS-05
• CCMv4.0: HRS-06
• CCMv4.0: HRS-07
• CCMv4.0: HRS-08
• CCMv4.0: HRS-10
• CCMv4.0: IAM-07
• CIS Controls v8.0: 6.1
• CIS Controls v8.0: 6.2
• CIS Controls v8.1: 6.1
• CIS Controls v8.1: 6.2
• CRI Profile v2.0: GV.RR-04
• CRI Profile v2.0: GV.RR-04.01
• CRI Profile v2.0: GV.RR-04.02
• CRI Profile v2.0: GV.RR-04.03
• CSF v1.1: PR.IP-11
• CoP: C1
• ISO/IEC 27001:2022: Mandatory Clause: 7.3
• ISO/IEC 27001:2022: Annex A Controls: 6.1
• ISO/IEC 27001:2022: Annex A Controls: 6.2
• ISO/IEC 27001:2022: Annex A Controls: 6.3
• ISO/IEC 27001:2022: Annex A Controls: 6.4
• ISO/IEC 27001:2022: Annex A Controls: 6.5
• ISO/IEC 27001:2022: Annex A Controls: 6.6
• ISO/IEC 27001:2022: Annex A Controls: 6.7
• ISO/IEC 27001:2022: Annex A Controls: 6.8
• NICE Framework: OG-WRL-002
• NICE Framework: OG-WRL-003
• NICE Framework: OG-WRL-010
• PCI DSS: 12.7.1
• PCI DSS: 12.6.3
• PCI DSS: 7.2.2
• PCI DSS: 8.2.5
• PCI DSS: 9.3.1.1
• SCF: HRS-01
• SP 800-171 Rev 3: 03.15.01
• SP 800-53 Rev 5.1.1: PM-13
• SP 800-53 Rev 5.1.1: PS-01
• SP 800-53 Rev 5.1.1: PS-07
• SP 800-53 Rev 5.1.1: PS-09
• SP 800-53 Rev 5.2.0: PM-13
• SP 800-53 Rev 5.2.0: PS-01
• SP 800-53 Rev 5.2.0: PS-07
• SP 800-53 Rev 5.2.0: PS-09
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-1 Risk Management Roles
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).