Generative AI is still processing your NIST Framework assessment request.
Control Number | Control | Current Control Implementation from Evidence | Date | Action |
---|---|---|---|---|
GV.OC - 01 | The organizational mission is understood and informs cybersecurity risk management | 2025-03-24 | ||
GV.OC - 02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | 2025-03-24 | ||
GV.OC - 03 | Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | 2025-03-24 | ||
GV.OC - 04 | Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated | 2025-03-24 | ||
GV.OC - 05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 2025-03-24 | ||
GV.RM - 01 | Risk management objectives are established and agreed to by organizational stakeholders | 2025-03-24 | ||
GV.RM - 02 | Risk appetite and risk tolerance statements are established, communicated, and maintained | 2025-03-24 | ||
GV.RM - 03 | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | 2025-03-24 | ||
GV.RM - 04 | Strategic direction that describes appropriate risk response options is established and communicated | 2025-03-24 | ||
GV.RM - 05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | 2025-03-24 | ||
GV.RM - 06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | 2025-03-24 | ||
GV.RM - 07 | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | 2025-03-24 | ||
GV.RR - 01 | Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving | 2025-03-24 | ||
GV.RR - 02 | Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | 2025-03-24 | ||
GV.RR - 03 | Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies | 2025-03-24 | ||
GV.RR - 04 | Cybersecurity is included in human resources practices | 2025-03-24 | ||
GV.PO - 01 | Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | 2025-03-24 | ||
GV.PO - 02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | 2025-03-24 | ||
GV.SC - 01 | A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | 2025-03-24 | ||
GV.SC - 02 | Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | 2025-03-24 | ||
GV.SC - 03 | Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | 2025-03-24 | ||
GV.SC - 04 | Suppliers are known and prioritized by criticality | 2025-03-24 | ||
GV.SC - 05 | Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | 2025-03-24 | ||
GV.SC - 06 | Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | 2025-03-24 | ||
GV.SC - 07 | The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | 2025-03-24 | ||
GV.SC - 08 | Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | 2025-03-24 | ||
GV.SC - 09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | 2025-03-24 | ||
GV.SC - 10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | 2025-03-24 | ||
ID.AM - 1 | Inventories of hardware managed by the organization are maintained | 2025-03-24 | ||
ID.AM - 3 | Representations of the organization's authorized network communication and internal and external network data flows are maintained | 2025-03-24 | ||
ID.AM - 4 | Inventories of services provided by suppliers are maintained | 2025-03-24 | ||
ID. AM - 5 | Assets are prioritized based on classification, criticality, resources, and impact on the mission | 2025-03-24 | ||
ID.AM - 7 | Inventories of data and corresponding metadata for designated data types are maintained | 2025-03-24 | ||
ID.AM - 8 | Systems, hardware, software, services, and data are managed throughout their life cycles | 2025-03-24 | ||
ID.RA - 1 | Vulnerabilities in assets are identified, validated, and recorded | 2025-03-24 | ||
ID.RA - 2 | Cyber threat intelligence is received from information sharing forums and sources | 2025-03-24 | ||
ID.RA - 3 | Internal and external threats to the organization are identified and recorded | 2025-03-24 | ||
ID.RA - 4 | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | 2025-03-24 |