💼 PM-28 Risk Framing

Description

a. Identify and document:

Assumptions affecting risk assessments, risk responses, and risk monitoring;
Constraints affecting risk assessments, risk responses, and risk monitoring;
Priorities and trade-offs considered by the organization for managing risk; and
Organizational risk tolerance; b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and c. Review and update risk framing considerations [Assignment: organization-defined frequency].

Section	Policies	Compliance
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood	13	no data
💼 NIST CSF v2.0 → 💼 GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed	6	no data
💼 NIST CSF v2.0 → 💼 GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated		no data
💼 NIST CSF v2.0 → 💼 GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated		no data
💼 NIST CSF v2.0 → 💼 GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions		no data
💼 NIST CSF v2.0 → 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle		no data

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance