Informative References

Informative references are a cross-reference to a control set that can be used to implement a security outcome described by the framework element.

    GV.OC: Organizational ContextGV.OC-01: The organizational mission is understood and informs cybersecurity risk management
    GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
    GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed
    GV.OC-04: Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
    GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated
    GV.RM: Risk Management StrategyGV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
    GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained
    GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
    GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
    GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
    GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
    GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
    GV.RR: Roles, Responsibilities, And AuthoritiesGV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
    GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
    GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
    GV.RR-04: Cybersecurity is included in human resources practices
    GV.PO: PolicyGV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
    GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
    GV.OV: OversightGV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
    GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
    GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
    GV.SC: Cybersecurity Supply Chain Risk ManagementGV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
    GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
    GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
    GV.SC-04: Suppliers are known and prioritized by criticality
    GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
    GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
    GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
    GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
    GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
    GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
    ID.AM: Asset ManagementID.AM-01: Inventories of hardware managed by the organization are maintained
    ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained
    ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained
    ID.AM-04: Inventories of services provided by suppliers are maintained
    ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission
    ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained
    ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles
    ID.RA: Risk AssessmentID.RA-01: Vulnerabilities in assets are identified, validated, and recorded
    ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
    ID.RA-03: Internal and external threats to the organization are identified and recorded
    ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
    ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
    ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated
    ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
    ID.RA-08: Processes for receiving, analyzing, and responding to vulnerability disclosures are established
    ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use
    ID.RA-10: Critical suppliers are assessed prior to acquisition
    ID.IM: ImprovementID.IM-01: Improvements are identified from evaluations
    ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties