NIST CSF 2.0 self-assessment

GV.OC-01 The organizational mission is understood and informs cybersecurity risk management

GV.OC-02 Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

GV.OC-03 Legal, regulatory, and contractual requirements regarding cybersecurity – including privacy and civil liberties obligations – are understood and managed

GV.OC-04 Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated

GV.OC-05 Outcomes, capabilities, and services that the organization depends on are understood and communicated

GV.RM-01 Risk management objectives are established and agreed to by organizational stakeholders

GV.RM-02 Risk appetite and risk tolerance statements are established, communicated, and maintained

GV.RM-03 Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

GV.RM-04 Strategic direction that describes appropriate risk response options is established and communicated

GV.RM-05 Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

GV.RM-06 A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

GV.RM-07 Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions

GV.RR-01 Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving

GV.RR-02 Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced

GV.RR-03 Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies

GV.RR-04 Cybersecurity is included in human resources practices

GV.PO-01 Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced

GV.PO-02 Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

GV.OV-01 Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction

GV.OV-02 The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

GV.OV-03 Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

GV.SC-01 A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

GV.SC-02 Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

GV.SC-03 Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

GV.SC-04 Suppliers are known and prioritized by criticality

GV.SC-05 Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

GV.SC-06 Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

GV.SC-07 The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

GV.SC-08 Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

GV.SC-09 Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

GV.SC-10 Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement