GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated

Info icon.

Subcategory is new to this version of the framework and incorporates the following items from the previous version: ID.BE-1: The organization’s role in the supply chain is identified and communicated, ID.BE-4: Dependencies and critical functions for delivery of critical services are established.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

Ex1: Create an inventory of the organization's dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions

Ex2: Identify and document external dependencies that are potential points of failure for the organization's critical capabilities and services, and share that information with appropriate personnel

3rd: 3rd Party Risk