GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity – including privacy and civil liberties obligations – are understood and managed

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals' information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation)

Ex2: Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information

Ex3: Align the organization's cybersecurity strategy with legal, regulatory, and contractual requirements