What is Roles and Responsibilities GV.RR?

Cybersecurity roles and responsibilities are coordinated and aligned with all internal and external stakeholders to enable accountability, performance assessment, and continuous improvement (formerly ID.GV-2)


Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement 



Roles and responsibilities related to cybersecurity risk management are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP1)  



Roles and responsibilities for customers, partners, and other third-party stakeholders are established and communicated (formerly ID.AM-6) 



Roles and responsibilities for suppliers are established, documented in contractual language, and communicated (formerly ID.AM-6) 



Lines of communication across the organization are established for cybersecurity risks, including supply chain risks



Resourcing and authorities for cybersecurity are decided commensurate with risk strategy, roles, and policies



Cybersecurity is included in human resources practices (e.g., training, deprovisioning, personnel screening) (formerly PR.IP-11)