Generative AI is still processing your NIST Framework assessment request.

Control Number Control Current Control Implementation from Evidence Date Action
GV.OC - 01 The organizational mission is understood and informs cybersecurity risk management 2025-03-24
GV.OC - 02 Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered 2025-03-24
GV.OC - 03 Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed 2025-03-24
GV.OC - 04 Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated 2025-03-24
GV.OC - 05 Outcomes, capabilities, and services that the organization depends on are understood and communicated 2025-03-24
GV.RM - 01 Risk management objectives are established and agreed to by organizational stakeholders 2025-03-24
GV.RM - 02 Risk appetite and risk tolerance statements are established, communicated, and maintained 2025-03-24
GV.RM - 03 Cybersecurity risk management activities and outcomes are included in enterprise risk management processes 2025-03-24
GV.RM - 04 Strategic direction that describes appropriate risk response options is established and communicated 2025-03-24
GV.RM - 05 Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties 2025-03-24
GV.RM - 06 A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated 2025-03-24
GV.RM - 07 Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions 2025-03-24
GV.RR - 01 Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving 2025-03-24
GV.RR - 02 Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced 2025-03-24
GV.RR - 03 Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies 2025-03-24
GV.RR - 04 Cybersecurity is included in human resources practices 2025-03-24
GV.PO - 01 Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced 2025-03-24
GV.PO - 02 Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission 2025-03-24
GV.SC - 01 A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders 2025-03-24
GV.SC - 02 Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally 2025-03-24
GV.SC - 03 Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes 2025-03-24
GV.SC - 04 Suppliers are known and prioritized by criticality 2025-03-24
GV.SC - 05 Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties 2025-03-24
GV.SC - 06 Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships 2025-03-24
GV.SC - 07 The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship 2025-03-24
GV.SC - 08 Relevant suppliers and other third parties are included in incident planning, response, and recovery activities 2025-03-24
GV.SC - 09 Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle 2025-03-24
GV.SC - 10 Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement 2025-03-24
ID.AM - 1 Inventories of hardware managed by the organization are maintained 2025-03-24
ID.AM - 3 Representations of the organization's authorized network communication and internal and external network data flows are maintained 2025-03-24
ID.AM - 4 Inventories of services provided by suppliers are maintained 2025-03-24
ID. AM - 5 Assets are prioritized based on classification, criticality, resources, and impact on the mission 2025-03-24
ID.AM - 7 Inventories of data and corresponding metadata for designated data types are maintained 2025-03-24
ID.AM - 8 Systems, hardware, software, services, and data are managed throughout their life cycles 2025-03-24
ID.RA - 1 Vulnerabilities in assets are identified, validated, and recorded 2025-03-24
ID.RA - 2 Cyber threat intelligence is received from information sharing forums and sources 2025-03-24
ID.RA - 3 Internal and external threats to the organization are identified and recorded 2025-03-24
ID.RA - 4 Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded 2025-03-24