GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.RM-2: Organizational risk tolerance is determined and clearly expressed.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data

Ex2: Determine whether to purchase cybersecurity insurance

Ex3: Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services)