💼 GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced

Contextual name: 💼 GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
ID: /frameworks/nist-csf-v2.0/gv-rr/02
Located in: 💼 Roles, Responsibilities, and Authorities (GV.RR)

Description

Document risk management roles and responsibilities in policy
Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed
Include cybersecurity responsibilities and performance requirements in personnel descriptions
Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v1.1 → 💼 DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
💼 NIST CSF v1.1 → 💼 ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
💼 NIST CSF v1.1 → 💼 ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
💼 NIST SP 800-53 Revision 5 → 💼 PM-2 Information Security Program Leadership Role
💼 NIST SP 800-53 Revision 5 → 💼 PM-13 Security and Privacy Workforce
💼 NIST SP 800-53 Revision 5 → 💼 PM-19 Privacy Program Leadership Role
💼 NIST SP 800-53 Revision 5 → 💼 PM-23 Data Governance Body
💼 NIST SP 800-53 Revision 5 → 💼 PM-24 Data Integrity Board
💼 NIST SP 800-53 Revision 5 → 💼 PM-29 Risk Management Program Leadership Roles

Section	Sub Sections	Internal Rules	Policies	Flags