NIST CSF 2.0 · All Functions · ID Identify · ID.RA Risk Assessment

ID.RA-08

Processes for receiving, analyzing, and responding to vulnerability disclosures are established

Implementation examples

Ex1: Conduct vulnerability information sharing between the organization and its suppliers following the rules and protocols defined in contracts
Ex2: Assign responsibilities and verify the execution of procedures for processing, analyzing the impact of, and responding to cybersecurity threat, vulnerability, or incident disclosures by suppliers, customers, partners, and government cybersecurity organizations

Mapped NIST 800-53 r5 controls (1)

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357→P

All informative references (34)

AI-SOC: AI-SOC-21
AI-SOC: AI-SOC-05
CCMv4.0: AIS-07
CCMv4.0: TVM-03
CCMv4.0: TVM-09
CIS Controls v8.0: 7.2
CIS Controls v8.1: 7.2
CRI Profile v2.0: ID.RA-08
CRI Profile v2.0: ID.RA-08.01
CRI Profile v2.0: ID.RA-08.02
CSF v1.1: RS.AN-5
CoP: A5
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Annex A Controls: None
NICE Framework: IO-WRL-006
NICE Framework: OG-WRL-013
NICE Framework: OG-WRL-014
NICE Framework: PD-WRL-007
OWASP Top 10 LLM Applications: LLM01-2025
OWASP Top 10 LLM Applications: LLM05-2025
SCF: THR-01
SCF: THR-03
SCF: VPM-01
SCF: VPM-02
SDOS: SDOS-GV-01
SP 800-171 Rev 3: 03.11.02
SP 800-221A: MA.RI-3
SP 800-53 Rev 5.1.1: RA-05
SP 800-53 Rev 5.2.0: RA-05
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-15 Requirements Definition
SP-800-37 Rev 2: RMF Authorize Step: TASK R-3 Risk Response
SP-800-37 Rev 2: RMF Monitor Step: TASK M-2 Ongoing Assessments
SP-800-37 Rev 2: RMF Monitor Step: TASK M-3 Ongoing Risk Response

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).