GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Conduct periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority

Ex2: Identify resource allocation and investment in line with risk tolerance and response

Ex3: Provide adequate and sufficient people, process, and technical resources to support the cybersecurity strategy