GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Determine how to update senior executives, directors, and management on the organization's cybersecurity posture at agreed-upon intervals

Ex2: Identify how all departments across the organization – such as management, operations, internal auditors, legal, acquisition, physical security, and HR – will communicate with each other about cybersecurity risks