Govern

The Center of the Wheel

Govern is not one of five equal functions — it’s the core that everything else orbits. Added in CSF 2.0, it formalizes what mature organizations already do: make cybersecurity risk management a first-class organizational concern, not just an IT problem.

Why Govern Exists

CSF 1.1 had five functions but no explicit home for the strategic and governance activities that make them work. Who decides risk appetite? Who approves policy? How does cybersecurity align with business objectives? Those questions floated without a home. Govern anchors them.

Categories

• GV.OC — Organizational Context — The organizational mission is understood and informs cybersecurity risk management
• GV.RM — Risk Management Strategy — The organization’s priorities, constraints, risk tolerance, and appetite are established and communicated
• GV.RR — Roles, Responsibilities & Authorities — Cybersecurity roles, responsibilities, and authorities are established and communicated
• GV.PO — Policy — Organizational cybersecurity policy is established, communicated, and enforced
• GV.OV — Oversight — Results of cybersecurity risk management activities are used to inform, improve, and adjust the strategy
• GV.SC — Cybersecurity Supply Chain Risk Management — Supply chain risks are identified, assessed, and managed

Key Concepts

Risk appetite vs. risk tolerance. Appetite is how much risk the organization wants to take. Tolerance is how much deviation from that appetite is acceptable. Govern is where these get defined and communicated.

Cybersecurity as business risk. Not IT risk. Not technical risk. Business risk. Govern frames cybersecurity in terms the board and leadership understand: financial impact, operational disruption, reputational damage, legal liability.

Supply chain risk management is new to the framework. GV.SC reflects the reality that your security posture is only as strong as your vendors’ posture. SolarWinds, Log4j, and countless supply chain compromises proved this isn’t optional.