The NIST CSF Govern Function

The NIST CSF Govern Function: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
Source: NIST CSF 2.0

The goals of the Govern Function of the NIST Cybersecurity Framework (CSF) are:

• Ensuring that the organization’s cybersecurity objectives, policies, and processes align with its business goals, risk tolerance, and regulatory requirements.
• Defining and communicating roles, responsibilities, and decision-making authority in the event of a cyber incident.
• Deciding the prioritization and allocation of resources, including personnel, technology, and funding, during cybersecurity incidents.

The Govern Function has six Categories, and each Category has multiple Subcategories.

1. Organizational Context (GV.OC)

This Category helps organizations understand the internal and external environment in which they operate. It includes defining the organization's mission, vision, and strategic goals, and understanding the regulatory, legal, and industry-specific requirements.

The Subcategories of GV.OC are:

• GV.OC-01: The organizational mission is understood and informs cybersecurity risk management.

This Subcategory emphasizes the alignment of cybersecurity efforts with the organization’s mission and objectives.

These actionable steps can help you comply with this Subcategory:

• Understand the organization's core purpose, strategic goals, and operational priorities.
• Tailor cybersecurity risk management activities to protect the assets, processes, and functions.
• Integrate the mission into risk management to ensure that resources are prioritized to protect what matters most, such as patient data in healthcare, intellectual property in research institutions, or financial data in banking.
• Ensure communication between cybersecurity teams and other organizational stakeholders.

• GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered.

This Subcategory emphasizes stakeholder engagement as a critical component of effective cybersecurity governance.

These actionable steps can help you comply with this Subcategory:

• Identify and map key stakeholders both within and outside the organization.
• Understand the stakeholders’ roles, interests, and potential impact on or by cybersecurity risks.
• Gather input from stakeholders to shape risk management strategies that meet their needs and expectations.
• Ensure an ongoing engagement process to serve stakeholder needs.

• GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity—including privacy and civil liberties obligations—are understood and managed.

This Subcategory highlights the need for organizations to identify and understand all legal, regulatory, and contractual obligations related to cybersecurity, privacy, and civil liberties. These requirements could include compliance with laws such as HIPAA, GDPR, or sector-specific mandates and industry standards. Your organization should also ensure that the civil liberties of the citizens of the country in which it does business, as enshrined in their constitution, are respected and left unhindered.

These actionable steps can help you comply with this Subcategory:

• Ensure compliance teams regularly review and update their understanding of evolving regulatory and legal landscapes.
• Encourage collaboration between legal, compliance, and cybersecurity teams to identify risks associated with non-compliance and establish safeguards to mitigate them.
• Ensure proper documentation and evidence of compliance, such as audit trails, policies, and assessments, are maintained and readily accessible for audits or inquiries.
• Train employees on privacy and civil liberties obligations to minimize human errors that may lead to violations.
• Monitor your adherence continuously and implement corrective actions if gaps are identified.

• GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated.

External stakeholders may depend on your organization for certain critical services. This Subcategory highlights the importance of understanding these critical dependencies and communicating them to external stakeholders . For example, a bank may depend on your organization for providing a payment gateway to facilitate online transactions for its customers, or a hospital may rely on your organization to provide secure, uninterrupted access to an EHR system for managing patient data.

These actionable steps can help you comply with this Subcategory:

• Identify key objectives, capabilities, and services that external stakeholders rely on or expect. These stakeholders may include customers, partners, regulators, and suppliers.
• Communicate this understanding with stakeholders to help build trust and ensure they are informed about the organization's ability to deliver these services securely and reliably.
• Maintain open lines of communication with stakeholders, particularly in the event of incidents that may impact the delivery of critical services.
• Consider and prepare for how disruptions in these critical services could ripple through the broader ecosystem, affecting stakeholders.
• Document and formalize these dependencies to ensure accountability and facilitate strategic planning for risk management.

• GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated.

This Subcategory emphasizes the need to understand and convey what drives an organization's success . This Subcategory is similar to GV.OC-01, in the sense that both address the core mission of the organization. The differentiator is that here, we also look into the services and capabilities that we depend on to deliver our organization's mission.

These actionable steps can help you comply with this Subcategory:

• Identify the key outcomes, such as customer satisfaction, revenue generation, or regulatory compliance.
• Recognize core capabilities, such as specialized expertise, proprietary technologies, or supply chain reliability, that enable your organization to achieve positive business outcomes.
• Identify essential services, including IT infrastructure, third-party vendor services, and other operational dependencies.
• Document and communicate this data to stakeholders to increase awareness.

2. Risk Management Strategy (GV.RM)

The Category helps organizations ensure that the risk management strategy aligns with the overall mission, goals, and risk tolerance.

The Subcategories of GV.RM are:

• GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders.

This Subcategory helps set clear and agreed-upon risk management goals within an organization.

These actionable steps can help you comply with this Subcategory:

• Ensure that the organization’s leadership and key stakeholders align on what constitutes acceptable risk and the approach for managing it.
• Conduct a collaborative exercise where executives, security teams, and other critical departments come together to define risk tolerance and the desired outcomes of risk management initiatives.
• Ensure that risk management objectives reflect the organization's overall mission, values, and regulatory obligations . Safeguarding patient data confidentiality and integrity by implementing robust access controls and encryption to comply with HIPAA regulations while upholding commitment to patient privacy, can be an example of such an objective.
• Account for the potential impact of cybersecurity risks on the organization’s operations, reputation, and legal standing.
• Conduct regular reviews and updates of these objectives to ensure they stay relevant as the business and threat landscape evolve.

• GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained.

This Subcategory helps define and manage the organization's overall approach to risk appetite and risk tolerance. Risk appetite refers to the type of risk an organization is willing to take in pursuit of its goals, while risk tolerance defines the acceptable level of risk that the organization is willing to bear in various circumstances .

Example of a risk appetite statement: "Our organization has minimal risk appetite for data breaches involving sensitive patient information and financial records. However, we are willing to accept moderate risks related to adopting new technology solutions with robust security controls and continuous monitoring in place."

Example of a risk tolerance statement: "Our organization will not tolerate any unauthorized access to confidential patient records. However, for system availability and uptime, we accept a downtime tolerance of up to 1% annually, provided that incident response is established, recovery procedures are in place, and service disruptions do not impact critical patient care systems."

These actionable steps can help you comply with this Subcategory:

• Ensure that the organization has a clear understanding of its risk-taking boundaries and provide a framework for decision-making related to cybersecurity investments and strategies.
• Communicate the organization's approach to risk across all levels, ensuring that stakeholders—from executives to operational teams—are aware of and aligned with it.
• Reassess and update the risk appetite and tolerance levels as circumstances change, such as shifts in the business environment or the discovery of new vulnerabilities.
• Create a well-documented and accessible risk appetite statement that guides the implementation of security measures, helping prioritize investments and actions.

• GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes.

This Subcategory emphasizes the integration of cybersecurity risk management into the broader enterprise risk management (ERM) framework. Cybersecurity risk management focuses specifically on identifying, assessing, and mitigating risks related to digital systems, data, and cyberthreats, while ERM encompasses a broader scope, addressing all types of organizational risks, including strategic, financial, operational, and reputational risks. Therefore, this Subcategory ensures that cybersecurity risks are considered alongside other types of business risks, enabling a more holistic approach to organizational risk.

These actionable steps can help you comply with this Subcategory:

• Develop a process for continuous communication and collaboration between the cybersecurity team and other departments, such as finance, legal, and operations.
• Identify, assess, and prioritize cybersecurity risks in the context of their potential impact on business operations, reputation, and financial performance.
• Conduct regular risk assessments that evaluate cybersecurity risks alongside other business risks.
• Develop risk mitigation plans that include not only technical controls but also effective processes. Involve the different business units while developing these plans to ensure comprehensive management of risk. Include clear risk acceptance thresholds, mitigation actions, and responsible stakeholders, and align them with the organization’s broader risk mitigation strategy.

• GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated.

This Subcategory helps set clear, actionable strategies for addressing cybersecurity risks. The goal is to provide a clear framework for managing risks in a way that minimizes the impact on operations while maximizing security and resilience.

These actionable steps can help you comply with this Subcategory:

• Establish a clear, documented risk response strategy that outlines how your organization will address different types of risk (e.g., mitigate, accept, transfer, or avoid).
• Define specific criteria for choosing among different risk response options. For example, you may wish to prioritize mitigation strategies for high-impact or high-likelihood risks and consider risk acceptance for lower-impact, lower-likelihood threats that don't justify a high investment of resources.
• Set up a governance structure to guide the decision-making process for selecting appropriate risk response options.
• Ensure that the risk response strategy and its criteria are clearly communicated to all relevant stakeholders within the organization.
• Continuously monitor the effectiveness of the implemented risk responses and review them periodically to ensure they remain aligned with evolving business objectives, the threat landscape, and regulatory requirements.

• GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties.

This Subcategory focuses on the importance of clear, structured communication channels for managing cybersecurity risks. These channels should be established not only within the organization but also extended to external partners, suppliers, and third parties that may pose cybersecurity risks.

These actionable steps can help you comply with this Subcategory:

• Establish clear roles and responsibilities for cybersecurity risk management within the organization.
• Designate personnel at various levels (executive, IT, legal, procurement) who will be responsible for communicating risks. This helps create accountability and ensures the right people are involved in risk-related decisions.
• Create a formalized cybersecurity risk communication plan that defines communication methods, frequency, and the escalation process in case of a cyber event.
• Establish lines of communication with suppliers and third parties to ensure that cybersecurity risks associated with their services are identified and mitigated.
• Implement regular security audits, risk assessments, and shared incident response protocols to ensure that third-party risks are properly managed and communicated.
• Set up automated or manual reporting systems that provide regular updates on cybersecurity risks to both internal stakeholders and third parties. These reports should include the status of identified risks, mitigation actions taken, and emerging threats.

• GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated.

This Subcategory emphasizes the importance of having a consistent and transparent approach to ensuring that risks are evaluated, documented, and communicated.

These actionable steps can help you comply with this Subcategory:

• Develop a standardized risk calculation framework (such as the Risk Matrix, FAIR, or SLE/ARO models) that evaluates the likelihood and impact of cybersecurity risks. This framework should be used consistently across the organization to ensure that all risks are calculated using the same criteria.
• Create risk categories that take the sensitivity or criticality of the data asset into consideration. For example, financial data, intellectual property, patient health records, etc., may be considered sensitive.
• Implement a centralized risk register or database to record and track all identified cybersecurity risks. The register should include details such as the risk description, risk calculation results, categories, likelihood, impact, and mitigation strategies.
• Prioritize risks by considering their calculated risk scores. Use business context (e.g., regulatory requirements, financial losses, reputation) to weigh risks and allocate resources effectively.

• GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions.

This Subcategory focuses on recognizing positive risks—or opportunities—that arise as part of cybersecurity efforts. While cybersecurity is often focused on mitigating threats, it’s equally important to identify opportunities where investments or strategies can lead to beneficial outcomes, such as enhanced efficiency, improved innovation, or competitive advantages.

These actionable steps can help you comply with this Subcategory:

• Create a structured process for stakeholders to evaluate cybersecurity initiatives or investments that could yield strategic benefits, such as adopting new frameworks like the Zero Trust architecture or new technologies such as advanced threat detection systems.
• Characterize each opportunity using a risk-opportunity matrix to determine its potential value, feasibility, and alignment with organizational goals. Assess opportunities based on clear metrics such as cost savings, improved performance, innovation potential, or reputational enhancement, while balancing risks.
• Document opportunities in risk registers, dashboards, or reports to demonstrate their strategic value.
• Use cybersecurity improvements (e.g., migrating to secure cloud platforms) as a strategic advantage for agility, scalability, and innovation while securing critical assets.
• Set KPIs to track the performance of positive risks (e.g., reduced downtime, increased customer trust, or improved operational workflows) and periodically revisit the outcomes for continuous improvement.

3. Roles, Responsibilities, and Authorities (GV.RR)

This Category focuses on clearly defining and assigning responsibilities for cybersecurity-related activities across an organization.

The Subcategories of GV.RR are:

• GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving.

This Subcategory highlights the critical role of leadership in driving cybersecurity accountability and cultivating a security-conscious culture.

These actionable steps can help you comply with this Subcategory:

• Develop a clear governance structure that defines roles, responsibilities, and accountability for cybersecurity within the leadership team. Designate a chief information security officer (CISO) or equivalent leader to oversee cybersecurity risk management and report to executive leadership or the board.
• Integrate cybersecurity risk management into the organization's broader strategic planning and decision-making processes. Regularly include cybersecurity updates in leadership meetings and establish KPIs to measure risk management effectiveness.
• Implement policies that encourage ethical behavior, such as responsible data handling, reporting incidents, and following risk mitigation protocols.
• Establish a process for regular risk assessments and reporting on identified risks, mitigation plans, and overall cybersecurity posture to senior leadership and stakeholders. Leverage tools like risk registers and dashboards for visibility.

• GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced.

This Subcategory focuses on defining and formalizing who is accountable for cybersecurity risk management within an organization. This ensures that all team members clearly understand their duties and how they contribute to the overall security posture, fostering accountability and efficiency.

These actionable steps can help you comply with this Subcategory:

• Develop a detailed cybersecurity governance framework that clearly defines roles, responsibilities, and authorities at all levels, including executive leadership, IT, security teams, third-party providers, and individual employees.
• Disseminate the documented roles and responsibilities through policies, team meetings, onboarding training, and internal portals to ensure everyone understands their part in cybersecurity.
• Include cybersecurity-related roles and expectations in job descriptions, employment agreements, and performance evaluations to formalize responsibilities.
• Conduct role-based cybersecurity training programs to ensure that individuals understand their cybersecurity responsibilities and how to execute them effectively.

• GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies.

This Subcategory ensures that organizations allocate sufficient resources—both financial and human—to their cybersecurity risk management strategy.

These actionable steps can help you comply with this Subcategory:

• Assess existing resources, including personnel, technology, and budgets, to identify gaps.
• Prioritize resource allocation based on a thorough risk assessment, focusing on areas with the highest impact or likelihood of threats (e.g., critical assets, sensitive data). Ensure resource distribution is proportional to the risk levels identified in the organization’s risk strategy.
• Clearly define and document roles and responsibilities for all staff involved in cybersecurity, including SOC teams, IT administrators, and leadership.
• Develop a dedicated cybersecurity budget that covers tools, technologies, training, and staffing needs.
• Implement continuous monitoring to evaluate whether allocated resources are effectively mitigating risks and achieving the desired cybersecurity outcomes.

• GV.RR-04: Cybersecurity is included in human resources practices.

This Subcategory highlights the integration of cybersecurity principles into HR practices to build a culture of security and ensure that personnel contribute effectively to your organization’s cybersecurity posture.

These actionable steps can help you comply with this Subcategory:

• Clearly define cybersecurity responsibilities in all relevant job descriptions, especially for roles with access to critical systems or sensitive data. For example, specify expectations such as adherence to security protocols, safe data handling practices, and reporting security incidents .
• Below is an example of a section of the job description for a sales manager that addresses cybersecurity responsibilities.

"As a sales manager, you are expected to uphold the organization's cybersecurity policies by ensuring that customer and business data is handled securely. You will need to follow established data protection protocols, complete mandatory cybersecurity awareness training, report any suspected security incidents, and ensure that sales processes comply with company cybersecurity standards, including secure handling of customer information and adherence to access control policies."

• Develop and mandate periodic training for all employees. Include phishing simulations, secure password creation, and safe internet usage as training modules to reinforce awareness.
• Implement robust pre-employment background checks for roles involving access to sensitive data or critical systems.
• Align performance evaluations with the degree of adherence to cybersecurity practices. For example, assess whether employees follow data protection policies, report suspicious activities, and complete mandatory security training.

4. Policy (GV.PO)

This Category focuses on the establishment and implementation of organizational cybersecurity policies.

The Subcategories of GV.PO are:

• GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced.

This Subcategory mandates that organizations create a cybersecurity policy aligned with their unique business context, strategic goals, and risk management priorities.

These actionable steps can help you comply with this Subcategory:

• Conduct a thorough assessment of the organization's operations, industry-specific threats, regulatory requirements, and existing cybersecurity posture. Use frameworks like SWOT analysis or Business Impact Analysis (BIA) to understand internal and external factors influencing risk management.
• Develop a cybersecurity strategy that outlines the organization's long-term objectives, risk tolerance, and key priorities based on the assessment.
• Create a formal cybersecurity risk management policy outlining how risks will be identified, assessed, mitigated, and monitored.
• Disseminate the policy to all employees and stakeholders through training sessions, workshops, and accessible documentation.
• Establish mechanisms to enforce the policy, such as regular audits, automated compliance tools, and incident reporting systems. Leverage tools like a SIEM for monitoring.

• GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission.

This Subcategory emphasizes the need for dynamic and effective cybersecurity policies. These policies must adapt to evolving circumstances to ensure that they remain relevant and actionable.

These actionable steps can help you comply with this Subcategory:

• Implement a formalized schedule to review cybersecurity policies (e.g., quarterly or annually). Use feedback from audits, incident analyses, and lessons learned to guide updates during reviews.
• Include key stakeholders such as IT, legal, compliance, and executive teams in the policy review process.
• Revise policies to account for changes in regulations (e.g., GDPR, HIPAA updates), technological shifts (e.g., adoption of cloud services, Zero Trust models), and business processes.
• Distribute updated policies through formal communication channels (e.g., emails, intranet portals) and require employees to acknowledge receipt and understanding.

5. Oversight (GV.OV)

This Category helps ensure that cybersecurity policies, procedures, and risk management activities are effectively governed and aligned with organizational goals.

The Subcategories of GV.OV are:

• GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction.

This Subcategory focuses on the ongoing evaluation of the effectiveness of an organization’s cybersecurity risk management strategies. It ensures that the outcomes of these strategies are analyzed to refine and adapt the overall cybersecurity approach .

These actionable steps can help you comply with this Subcategory:

• Define specific, measurable, and actionable metrics to evaluate the success of your cybersecurity risk management strategy. For example, track the number of incidents detected, mean time to resolution (MTTR), and the reduction of high-risk vulnerabilities over time.
• Schedule periodic reviews (e.g., quarterly or biannually) to assess the outcomes of implemented strategies. These reviews should involve stakeholders across IT, security, risk management, and leadership to ensure holistic evaluation.
• Compare current outcomes against defined objectives and identify gaps in performance.
• Conduct an impact analysis to understand how changes in the threat landscape, business objectives, or regulations may require adjustments to the strategy.
• Create a formal process for collecting insights from incidents, audits, and assessments to feed back into the strategy development process.

• GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.

This Subcategory emphasizes the continuous improvement of an organization's cybersecurity risk management strategy. Regular reviews and updates are necessary to address new threats, technological advancements, and organizational shifts.

These actionable steps can help you comply with this Subcategory:

• Schedule periodic reviews (e.g., quarterly or biannually) of the cybersecurity risk management strategy.
• Evaluate current and emerging threats, vulnerabilities, and risks to the organization’s assets and operations. Incorporate findings into updates for the risk management strategy.
• Stay informed about changes in regulatory requirements, industry standards, and threat landscapes relevant to the organization.
• Define and track KPIs and metrics to assess how well the current risk management strategy addresses organizational requirements and risks. Use data from incident reports, threat intelligence, and system audits to identify gaps or areas for improvement.

• GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed.

This Subcategory helps ensure that an organization's cybersecurity risk management practices are continuously monitored and assessed.

These actionable steps can help you comply with this Subcategory:

• Define measurable KPIs to assess the effectiveness of cybersecurity risk management, such as the number of incidents detected, average response time, and compliance with regulatory frameworks.
• Schedule periodic evaluations (e.g., quarterly or annually) of the cybersecurity risk management program's performance.
• Perform internal and external audits to validate the effectiveness of current cybersecurity controls and practices.
• Create a mechanism for collecting feedback from cybersecurity incident post-mortems, employee suggestions, and regulatory findings.
• Regularly revise the cybersecurity risk management framework to reflect changes in the threat landscape, business objectives, and compliance standards.

6. Cybersecurity Supply Chain Risk Management (GV.SC)

This Category focuses on managing risks associated with external suppliers, vendors, and third-party services.

The Subcategories of GV.SC are:

• GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders.

This Subcategory emphasizes the need for a structured and collaborative approach to managing risks associated with third-party suppliers, vendors, and partners.

These actionable steps can help you comply with this Subcategory:

• Create a formalized cybersecurity supply chain risk management (C-SCRM) program that defines objectives, scope, and key components such as risk assessment, vendor evaluation, and risk mitigation strategies.
• Conduct a thorough analysis of your supply chain to identify critical dependencies and potential risks, including those stemming from third-party vendors, hardware, software, and services.
• Establish specific policies and processes for evaluating, onboarding, and continuously monitoring suppliers and vendors for cybersecurity risks.
• Host workshops and collaborative sessions to align the C-SCRM objectives with organizational goals and regulatory requirements.
• Conduct regular risk assessments of supply chain partners to identify vulnerabilities and prioritize risks based on their potential impact on the organization. Use tools and methodologies like vendor questionnaires , security audits, and risk scoring frameworks to evaluate suppliers.
• Deploy automated tools for threat intelligence and vendor risk monitoring, and conduct periodic reviews of supplier performance against contractual cybersecurity requirements.

• GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.

This Subcategory emphasizes the need for clarity, collaboration, and communication of cybersecurity roles across all involved parties in the ecosystem.

These actionable steps can help you comply with this Subcategory:

• Develop a detailed document outlining the specific cybersecurity roles and responsibilities for suppliers, customers, and partners. Identify critical functions such as data handling, incident reporting, compliance verification, and assign ownership.
• Include specific cybersecurity requirements, such as adherence to NIST CSF or other standards, contracts , SLAs, and partnership agreements. Work with legal and procurement teams to standardize cybersecurity clauses.
• Create formal communication channels and escalation protocols for cybersecurity matters between your organization and external stakeholders.
• Provide cybersecurity awareness training tailored to suppliers, customers, and partners, focusing on their roles and responsibilities. Conduct joint webinars, distribute guidelines, and offer resources to educate stakeholders about policies, threat detection, and response expectations.

• GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes.

This Subcategory highlights the importance of embedding supply chain risk management into an organization's overall risk governance framework. This integration ensures a holistic approach to identifying, assessing, and mitigating risks associated with third-party vendors, suppliers, and partners.

These actionable steps can help you comply with this Subcategory:

• Define clear policies and frameworks that incorporate SCRM into your ERM processes.
• Conduct a thorough assessment to identify and categorize supply chain risks, focusing on vendors that handle sensitive data or critical infrastructure.
• Embed SCRM considerations into your regular risk assessment processes, ensuring that risks associated with third-party vendors are identified, evaluated, and prioritized alongside internal risks. Use tools like questionnaires, audits, or third-party risk management software to gather insights into supplier practices.
• Establish SLAs and contractual obligations that enforce compliance.
• Develop contingency plans to mitigate the impact of supply chain incidents, such as backup suppliers, redundancy strategies, and incident response coordination with vendors.

• GV.SC-04: Suppliers are known and prioritized by criticality.

This Subcategory emphasizes the importance of identifying and assessing suppliers based on their role in your organization’s operations and the potential impact of risks associated with them.

These actionable steps can help you comply with this Subcategory:

• Maintain a comprehensive inventory of all suppliers, vendors, and third-party partners. Include information about the products, services, or systems they provide and how they interact with your organization’s critical operations. Use a centralized database to document supplier details, such as contact information, service scope, and contractual obligations.
• Categorize suppliers based on their importance to your operations. For example, prioritize suppliers that provide essential services, handle sensitive data, or directly impact critical business processes. Consider factors like the supplier’s access to sensitive systems, dependency on their services, and the potential impact of a disruption or breach on your organization.
• Conduct risk assessments for suppliers, focusing on cybersecurity risks. Evaluate their security posture, compliance with relevant standards, and history of incidents.
• Create a matrix to rank suppliers based on criticality and risk. Assign scores for factors such as business impact, sensitivity of data handled, and frequency of interaction with your systems. Use this matrix to categorize suppliers into tiers (e.g., high, medium, low criticality).
• Establish regular communication channels with high-criticality suppliers to share cybersecurity expectations, updates, and threat intelligence.

• GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties.

This Subcategory focuses on ensuring that cybersecurity risks within the supply chain are effectively addressed by establishing clear requirements and integrating them into contractual agreements.

These actionable steps can help you comply with this Subcategory:

• Conduct a thorough risk assessment to identify potential cybersecurity threats from your suppliers and third parties. This could include evaluating the security posture of vendors, the sensitivity of the data they handle, and their access to your organization’s systems.
• Prioritize these risks based on their potential impact on your operations, financial stability, and reputation.
• Develop specific cybersecurity requirements for suppliers, addressing issues such as data protection, secure access controls, incident response capabilities, and compliance with relevant standards.
• Ensure that cybersecurity requirements are integrated into contracts and service agreements with suppliers and third parties. Include clear clauses that outline the expectations for cybersecurity practices, reporting obligations in the event of a security breach, and responsibilities for maintaining security standards. This should also cover audit rights and penalties for non-compliance.
• Based on your risk assessment, prioritize cybersecurity requirements for high-risk suppliers who have access to sensitive information or critical systems. Consider applying more stringent security measures, such as regular security assessments, encryption, or limiting access to specific network segments, for high-priority suppliers.

• GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships.

This Subcategory stresses the importance of evaluating and mitigating risks related to third-party relationships before formalizing contracts.

These actionable steps can help you comply with this Subcategory:

• Before entering any formal relationships with suppliers or third parties, assess their cybersecurity practices, controls, and overall risk posture. This includes evaluating their data protection, incident response capabilities, and compliance with regulatory frameworks like GDPR or HIPAA. Use questionnaires, audits, and third-party risk assessment tools to identify potential cybersecurity risks.
• Set specific cybersecurity requirements as part of the contractual agreement. Ensure that third parties follow industry best practices, such as encryption protocols, access controls, and monitoring mechanisms.
• Set up automated tools that alert your organization to any security issues or policy breaches by the third party.
• Ensure that third-party suppliers or vendors have the minimum necessary access to your organization’s systems and sensitive data. Implement role-based access controls (RBAC).
• Plan for contingencies in case a third-party supplier or vendor fails to meet its security obligations or becomes a security risk. Establish clear procedures to mitigate damage, such as switching to alternate vendors or activating a crisis management plan. Maintain a list of backup suppliers, and ensure that they meet the same security standards in case a switch is required.

• GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

This Subcategory emphasizes a comprehensive approach to managing cybersecurity risks associated with third-party suppliers and service providers.

These actionable steps can help you comply with this Subcategory:

• Document and record the risks associated with each supplier, including the type of products or services they provide, potential vulnerabilities, and identified threats.
• Prioritize supplier risk management based on the suppliers' access to critical systems, data, or infrastructure. For high-risk suppliers, develop specific mitigation or response plans to address identified risks, such as imposing stricter access controls or requiring regular security audits.
• Continuously monitor and track suppliers for any changes in their cybersecurity posture, such as new vulnerabilities, security incidents, or changes in business operations. Use monitoring tools, threat intelligence, and regular communication with suppliers to stay informed.
• Establish clear channels of communication with suppliers to ensure cybersecurity risks are regularly discussed. Set up periodic reviews of the relationship, risk assessments, and response strategies.

• GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities.

This Subcategory helps ensure that external partners, suppliers, and vendors are actively involved in the organization’s cybersecurity incident management processes.

These actionable steps can help you comply with this Subcategory:

• Assess the cybersecurity posture of relevant suppliers and third parties and integrate their roles and responsibilities into the incident response plan (IRP).
• Establish joint response procedures with critical suppliers and third-party service providers.
• Organize joint tabletop exercises with your suppliers and third-party partners to simulate cybersecurity incidents.
• Ensure that contracts with key suppliers and third parties include clear terms related to incident reporting, response timelines, and participation in recovery efforts.

• GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle.

This Subcategory focuses on embedding supply chain security within the broader cybersecurity and risk management frameworks of an organization.

These actionable steps can help you comply with this Subcategory:

• Integrate supply chain security practices into your organization's cybersecurity and ERM framework. Define clear policies for assessing and managing third-party risks, including vendor risk assessments, and ensure that these practices are aligned with the overall business and cybersecurity objectives.
• Regularly evaluate the cybersecurity risks associated with suppliers, especially those that provide critical infrastructure, software, or services.
• Set clear security requirements for all third-party vendors and suppliers, ensuring they meet baseline cybersecurity standards.
• Implement continuous monitoring tools and processes to track the performance of suppliers' security practices throughout the life cycle of their products and services.
• Ensure that supply chain risk considerations are included in your incident response and disaster recovery plans.

• GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement.

This Subcategory focuses on ensuring that organizations have a comprehensive strategy for managing cybersecurity risks even after a partnership or service agreement ends.

These actionable steps can help you comply with this Subcategory:

• Ensure that contracts with vendors and service providers include specific clauses that mandate the secure deletion or return of sensitive data once the agreement ends.
• Immediately revoke any access to your systems, networks, and applications for the vendor once their service agreement concludes.
• Implement a process for verifying that all intellectual property, software, and other proprietary materials are returned or securely destroyed at the conclusion of the relationship.
• Continue to monitor for potential cybersecurity risks post-partnership, particularly around data left behind or systems that were shared.
• Ensure that your contracts with third-party vendors clearly outline the post-contractual cybersecurity obligations, such as ongoing support, reporting of incidents, or potential liability for security breaches that might occur after the relationship ends.