[{"id":"GV.OC","functionId":"GV","name":"Organizational Context","description":"The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization's cybersecurity risk management decisions are understood."},{"id":"GV.RM","functionId":"GV","name":"Risk Management Strategy","description":"The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions."},{"id":"GV.RR","functionId":"GV","name":"Roles, Responsibilities, and Authorities","description":"Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated."},{"id":"GV.PO","functionId":"GV","name":"Policy","description":"Organizational cybersecurity policy is established, communicated, and enforced."},{"id":"GV.OV","functionId":"GV","name":"Oversight","description":"Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy."},{"id":"GV.SC","functionId":"GV","name":"Cybersecurity Supply Chain Risk Management","description":"Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders."}]