CSF-FORM-IMPL-2 CSF Current and Target Profile

Please note: This sample shows only a section of the complete current and target profile tool.

CSF Current and Target Profile FUNCTION

CATEGORY

Organizational Context (GV.OC): The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood

Risk Management Strategy (GV.RM): The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

GOVERN (GV) 31 Subcategories The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

CATEGORY CURRENT TIER

Tier 1 - Partial

Tier 1 - Partial

Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated

Tier 1 - Partial

Policy (GV.PO): Organizational cybersecurity policy is established, communicated, and enforced

Tier 1 - Partial

Oversight (GV.OV): Results of organizationwide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy

Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

Tier 1 - Partial

Tier 1 - Partial

CATEGORY TARGET TIER

Tier 1 - Partial

Tier 1 - Partial

Tier 1 - Partial

Tier 1 - Partial

Tier 1 - Partial

Tier 1 - Partial

SUBCATEGORY

SUBCATEGORY APPLICABLE?

IS CATEGORY TARGET TIER CURRENTLY MET?

GV.OC-01: The organizational mission is understood and informs cybersecurity risk Yes management GV.OC-02: Internal and external stakeholders are understood, and their needs and Yes expectations regarding cybersecurity risk management are understood and considered GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — Yes including privacy and civil liberties obligations — are understood and managed GV.OC-04: Critical objectives, capabilities, and services that stakeholders depend on or Yes expect from the organization are understood and communicated GV.OC-05: Outcomes, capabilities, and services that the organization depends on are Yes understood and communicated Totals 5 GV.RM-01: Risk management objectives are established and agreed to by organizational Yes stakeholders GV.RM-02: Risk appetite and risk tolerance statements are determined, communicated, Yes and maintained GV.RM-03: Cybersecurity risk management activities and outcomes are included in Yes enterprise risk management processes GV.RM-04: Strategic direction that describes appropriate risk response options is Yes established and communicated GV.RM-05: Lines of communication across the organization are established for Yes cybersecurity risks, including risks from suppliers and other third parties GV.RM-06: A standardized method for calculating, documenting, categorizing, and Yes prioritizing cybersecurity risks is established and communicated GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and included in Yes organizational cybersecurity risk discussions Totals 7 GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk Yes and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk Yes management are established, communicated, understood, and enforced GV.RR-03: Adequate resources are allocated commensurate with cybersecurity risk Yes strategy, roles and responsibilities, and policies GV.RR-04: Cybersecurity is included in human resources practices Yes Totals 4 GV.PO-01: Policy for managing cybersecurity risks is established based on organizational Yes context, cybersecurity strategy, and priorities and is communicated and enforced

N/A

GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, Yes and enforced to reflect changes in requirements, threats, technology, and organizational mission Totals 2 GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and Yes adjust strategy and direction GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to Yes ensure coverage of organizational requirements and risks GV.OV-03: Organizational cybersecurity risk management performance is evaluated and Yes reviewed for adjustments needed Totals 3 GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, Yes policies, and processes are established and agreed to by organizational stakeholders GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners Yes are established, communicated, and coordinated internally and externally GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity Yes and enterprise risk management, risk assessment, and improvement processes GV.SC-04: Suppliers are known and prioritized by criticality Yes GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, Yes prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties GV.SC-06: Planning and due diligence are performed to reduce risks before entering into Yes formal supplier or other third-party relationships GV.SC-07: The risks posed by a supplier, their products and services, and other third Yes parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship GV.SC-08: Relevant suppliers and other third parties are included in incident planning, Yes response, and recovery activities GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise Yes risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-10: Cybersecurity supply chain risk management plans include provisions for Yes activities that occur after the conclusion of a partnership or service agreement Totals 10

N/A

N/A N/A N/A N/A 0 N/A N/A N/A N/A N/A N/A N/A 0 N/A N/A N/A N/A 0 N/A

0 N/A N/A N/A 0 N/A No N/A N/A N/A

N/A N/A

N/A N/A

N/A 0

CURRENT PROVISION

TARGET PROVISION

TARGET PRIORITY

ACTION ITEM(S)

RESPONSIBLE PARTIES

TARGET NOTES COMPLETION DATE