diff --git a/backend/library/libraries/nist_csf-2.0-en.yaml b/backend/library/libraries/nist_csf-2.0-en.yaml
new file mode 100644
index 000000000..6452a17c4
--- /dev/null
+++ b/backend/library/libraries/nist_csf-2.0-en.yaml
@@ -0,0 +1,2779 @@
+urn: urn:intuitem:risk:library:nist-csf-2.0
+locale: en
+ref_id: NIST-CSF-2.0
+name: NIST CSF version 2.0
+description: National Institute of Standards and Technology - Cybersecurity Framework
+copyright: With the exception of material marked as copyrighted, information presented
+  on NIST sites are considered public information and may be distributed or copied.
+version: 1
+provider: NIST
+packager: intuitem
+objects:
+  framework:
+    urn: urn:intuitem:risk:framework:nist-csf-2.0
+    ref_id: NIST-CSF-2.0
+    name: NIST CSF v2.0
+    description: NIST Cybersecurity Framework
+    requirement_nodes:
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      assessable: false
+      depth: 1
+      ref_id: GV
+      name: GOVERN
+      description: The organization's cybersecurity risk management strategy, expectations,
+        and policy are established, communicated, and monitored
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.OC
+      name: Organizational Context
+      description: The circumstances - mission, stakeholder expectations, dependencies,
+        and legal, regulatory, and contractual requirements - surrounding the organization's
+        cybersecurity risk management decisions are understood
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-01
+      description: The organizational mission is understood and informs cybersecurity
+        risk management
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Share the organization''s mission (e.g., through vision and mission statements,
+        marketing, and service strategies) to provide a basis for identifying risks
+        that may impede that mission'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-02
+      description: Internal and external stakeholders are understood, and their needs
+        and expectations regarding cybersecurity risk management are understood and
+        considered
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Identify relevant internal stakeholders and their cybersecurity-related
+        expectations (e.g., performance and risk expectations of officers, directors,
+        and advisors; cultural expectations of employees)
+
+        Ex2: Identify relevant external stakeholders and their cybersecurity-related
+        expectations (e.g., privacy expectations of customers, business expectations
+        of partnerships, compliance expectations of regulators, ethics expectations
+        of society)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-03
+      description: Legal, regulatory, and contractual requirements regarding cybersecurity
+        - including privacy and civil liberties obligations - are understood and managed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Determine a process to track and manage legal and regulatory requirements
+        regarding protection of individuals'' information (e.g., Health Insurance
+        Portability and Accountability Act, California Consumer Privacy Act, General
+        Data Protection Regulation)
+
+        Ex2: Determine a process to track and manage contractual requirements for
+        cybersecurity management of supplier, customer, and partner information
+
+        Ex3: Align the organization''s cybersecurity strategy with legal, regulatory,
+        and contractual requirements'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-04
+      description: Critical objectives, capabilities, and services that stakeholders
+        depend on or expect from the organization are understood and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Establish criteria for determining the criticality of capabilities and
+        services as viewed by internal and external stakeholders
+
+        Ex2: Determine (e.g., from a business impact analysis) assets and business
+        operations that are vital to achieving mission objectives and the potential
+        impact of a loss (or partial loss) of such operations
+
+        Ex3: Establish and communicate resilience objectives (e.g., recovery time
+        objectives) for delivering critical capabilities and services in various operating
+        states (e.g., under attack, during recovery, normal operation)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-05
+      description: Outcomes, capabilities, and services that the organization depends
+        on are understood and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05
+      name: Examples
+      description: 'Ex1: Create an inventory of the organization''s dependencies on
+        external resources (e.g., facilities, cloud-based hosting providers) and their
+        relationships to organizational assets and business functions
+
+        Ex2: Identify and document external dependencies that are potential points
+        of failure for the organization''s critical capabilities and services, and
+        share that information with appropriate personnel
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.RM
+      name: Risk Management Strategy
+      description: The organization's priorities, constraints, risk tolerance and
+        appetite statements, and assumptions are established, communicated, and used
+        to support operational risk decisions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-01
+      description: Risk management objectives are established and agreed to by organizational
+        stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Update near-term and long-term cybersecurity risk management objectives
+        as part of annual strategic planning and when major changes occur
+
+        Ex2: Establish measurable objectives for cybersecurity risk management (e.g.,
+        manage the quality of user training, ensure adequate risk protection for industrial
+        control systems)
+
+        Ex3: Senior leaders agree about cybersecurity objectives and use them for
+        measuring and managing risk and performance'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-02
+      description: Risk appetite and risk tolerance statements are established, communicated,
+        and maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Determine and communicate risk appetite statements that convey expectations
+        about the appropriate level of risk for the organization
+
+        Ex2: Translate risk appetite statements into specific, measurable, and broadly
+        understandable risk tolerance statements
+
+        Ex3: Refine organizational objectives and risk appetite periodically based
+        on known risk exposure and residual risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-03
+      description: Cybersecurity risk management activities and outcomes are included
+        in enterprise risk management processes
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks
+        (e.g., compliance, financial, operational, regulatory, reputational, safety)
+
+        Ex2: Include cybersecurity risk managers in enterprise risk management planning
+
+        Ex3: Establish criteria for escalating cybersecurity risks within enterprise
+        risk management'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-04
+      description: Strategic direction that describes appropriate risk response options
+        is established and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various
+        classifications of data
+
+        Ex2: Determine whether to purchase cybersecurity insurance
+
+        Ex3: Document conditions under which shared responsibility models are acceptable
+        (e.g., outsourcing certain cybersecurity functions, having a third party perform
+        financial transactions on behalf of the organization, using public cloud-based
+        services)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-05
+      description: Lines of communication across the organization are established
+        for cybersecurity risks, including risks from suppliers and other third parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Determine how to update senior executives, directors, and management
+        on the organization''s cybersecurity posture at agreed-upon intervals
+
+        Ex2: Identify how all departments across the organization - such as management,
+        operations, internal auditors, legal, acquisition, physical security, and
+        HR - will communicate with each other about cybersecurity risks'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-06
+      description: A standardized method for calculating, documenting, categorizing,
+        and prioritizing cybersecurity risks is established and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Establish criteria for using a quantitative approach to cybersecurity
+        risk analysis, and specify probability and exposure formulas
+
+        Ex2: Create and use templates (e.g., a risk register) to document cybersecurity
+        risk information (e.g., risk description, exposure, treatment, and ownership)
+
+        Ex3: Establish criteria for risk prioritization at the appropriate levels
+        within the enterprise
+
+        Ex4: Use a consistent list of risk categories to support integrating, aggregating,
+        and comparing cybersecurity risks'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-07
+      description: Strategic opportunities (i.e., positive risks) are characterized
+        and are included in organizational cybersecurity risk discussions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Define and communicate guidance and methods for identifying opportunities
+        and including them in risk discussions (e.g., strengths, weaknesses, opportunities,
+        and threats [SWOT] analysis)
+
+        Ex2: Identify stretch goals and document them
+
+        Ex3: Calculate, document, and prioritize positive risks alongside negative
+        risks'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.RR
+      name: Roles, Responsibilities, and Authorities
+      description: Cybersecurity roles, responsibilities, and authorities to foster
+        accountability, performance assessment, and continuous improvement are established
+        and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-01
+      description: Organizational leadership is responsible and accountable for cybersecurity
+        risk and fosters a culture that is risk-aware, ethical, and continually improving
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in
+        developing, implementing, and assessing the organization''s cybersecurity
+        strategy
+
+        Ex2: Share leaders'' expectations regarding a secure and ethical culture,
+        especially when current events present the opportunity to highlight positive
+        or negative examples of cybersecurity risk management
+
+        Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk
+        strategy and review and update it at least annually and after major events
+
+        Ex4: Conduct reviews to ensure adequate authority and coordination among those
+        responsible for managing cybersecurity risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-02
+      description: Roles, responsibilities, and authorities related to cybersecurity
+        risk management are established, communicated, understood, and enforced
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Document risk management roles and responsibilities in policy
+
+        Ex2: Document who is responsible and accountable for cybersecurity risk management
+        activities and how those teams and individuals are to be consulted and informed
+
+        Ex3: Include cybersecurity responsibilities and performance requirements in
+        personnel descriptions
+
+        Ex4: Document performance goals for personnel with cybersecurity risk management
+        responsibilities, and periodically measure performance to identify areas for
+        improvement
+
+        Ex5: Clearly articulate cybersecurity responsibilities within operations,
+        risk functions, and internal audit functions'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-03
+      description: Adequate resources are allocated commensurate with the cybersecurity
+        risk strategy, roles, responsibilities, and policies
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Conduct periodic management reviews to ensure that those given cybersecurity
+        risk management responsibilities have the necessary authority
+
+        Ex2: Identify resource allocation and investment in line with risk tolerance
+        and response
+
+        Ex3: Provide adequate and sufficient people, process, and technical resources
+        to support the cybersecurity strategy'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-04
+      description: Cybersecurity is included in human resources practices
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Integrate cybersecurity risk management considerations into human resources
+        processes (e.g., personnel screening, onboarding, change notification, offboarding)
+
+        Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training,
+        and retention decisions
+
+        Ex3: Conduct background checks prior to onboarding new personnel for sensitive
+        roles, and periodically repeat background checks for personnel with such roles
+
+        Ex4: Define and enforce obligations for personnel to be aware of, adhere to,
+        and uphold security policies as they relate to their roles'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.PO
+      name: Policy
+      description: Organizational cybersecurity policy is established, communicated,
+        and enforced
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po
+      ref_id: GV.PO-01
+      description: Policy for managing cybersecurity risks is established based on
+        organizational context, cybersecurity strategy, and priorities and is communicated
+        and enforced
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Create, disseminate, and maintain an understandable, usable risk management
+        policy with statements of management intent, expectations, and direction
+
+        Ex2: Periodically review policy and supporting processes and procedures to
+        ensure that they align with risk management strategy objectives and priorities,
+        as well as the high-level direction of the cybersecurity policy
+
+        Ex3: Require approval from senior management on policy
+
+        Ex4: Communicate cybersecurity risk management policy and supporting processes
+        and procedures across the organization
+
+        Ex5: Require personnel to acknowledge receipt of policy when first hired,
+        annually, and whenever policy is updated'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po
+      ref_id: GV.PO-02
+      description: Policy for managing cybersecurity risks is reviewed, updated, communicated,
+        and enforced to reflect changes in requirements, threats, technology, and
+        organizational mission
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Update policy based on periodic reviews of cybersecurity risk management
+        results to ensure that policy and supporting processes and procedures adequately
+        maintain risk at an acceptable level
+
+        Ex2: Provide a timeline for reviewing changes to the organization''s risk
+        environment (e.g., changes in risk or in the organization''s mission objectives),
+        and communicate recommended policy updates
+
+        Ex3: Update policy to reflect changes in legal and regulatory requirements
+
+        Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial
+        intelligence) and changes to the business (e.g., acquisition of a new business,
+        new contract requirements)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.OV
+      name: Oversight
+      description: Results of organization-wide cybersecurity risk management activities
+        and performance are used to inform, improve, and adjust the risk management
+        strategy
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      ref_id: GV.OV-01
+      description: Cybersecurity risk management strategy outcomes are reviewed to
+        inform and adjust strategy and direction
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Measure how well the risk management strategy and risk results have helped
+        leaders make decisions and achieve organizational objectives
+
+        Ex2: Examine whether cybersecurity risk strategies that impede operations
+        or innovation should be adjusted'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      ref_id: GV.OV-02
+      description: The cybersecurity risk management strategy is reviewed and adjusted
+        to ensure coverage of organizational requirements and risks
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review audit findings to confirm whether the existing cybersecurity strategy
+        has ensured compliance with internal and external requirements
+
+        Ex2: Review the performance oversight of those in cybersecurity-related roles
+        to determine whether policy changes are necessary
+
+        Ex3: Review strategy in light of cybersecurity incidents'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      ref_id: GV.OV-03
+      description: Organizational cybersecurity risk management performance is evaluated
+        and reviewed for adjustments needed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review key performance indicators (KPIs) to ensure that organization-wide
+        policies and procedures achieve objectives
+
+        Ex2: Review key risk indicators (KRIs) to identify risks the organization
+        faces, including likelihood and potential impact
+
+        Ex3: Collect and communicate metrics on cybersecurity risk management with
+        senior leadership'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.SC
+      name: Cybersecurity Supply Chain Risk Management
+      description: Cyber supply chain risk management processes are identified, established,
+        managed, monitored, and improved by organizational stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-01
+      description: A cybersecurity supply chain risk management program, strategy,
+        objectives, policies, and processes are established and agreed to by organizational
+        stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01
+      name: Examples
+      description: 'Ex1: Establish a strategy that expresses the objectives of the
+        cybersecurity supply chain risk management program
+
+        Ex2: Develop the cybersecurity supply chain risk management program, including
+        a plan (with milestones), policies, and procedures that guide implementation
+        and improvement of the program, and share the policies and procedures with
+        the organizational stakeholders
+
+        Ex3: Develop and implement program processes based on the strategy, objectives,
+        policies, and procedures that are agreed upon and performed by the organizational
+        stakeholders
+
+        Ex4: Establish a cross-organizational mechanism that ensures alignment between
+        functions that contribute to cybersecurity supply chain risk management, such
+        as cybersecurity, IT, operations, legal, human resources, and engineering
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-02
+      description: Cybersecurity roles and responsibilities for suppliers, customers,
+        and partners are established, communicated, and coordinated internally and
+        externally
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02
+      name: Examples
+      description: 'Ex1: Identify one or more specific roles or positions that will
+        be responsible and accountable for planning, resourcing, and executing cybersecurity
+        supply chain risk management activities
+
+        Ex2: Document cybersecurity supply chain risk management roles and responsibilities
+        in policy
+
+        Ex3: Create responsibility matrixes to document who will be responsible and
+        accountable for cybersecurity supply chain risk management activities and
+        how those teams and individuals will be consulted and informed
+
+        Ex4: Include cybersecurity supply chain risk management responsibilities and
+        performance requirements in personnel descriptions to ensure clarity and improve
+        accountability
+
+        Ex5: Document performance goals for personnel with cybersecurity risk management-specific
+        responsibilities, and periodically measure them to demonstrate and improve
+        performance
+
+        Ex6: Develop roles and responsibilities for suppliers, customers, and business
+        partners to address shared responsibilities for applicable cybersecurity risks,
+        and integrate them into organizational policies and applicable third-party
+        agreements
+
+        Ex7: Internally communicate cybersecurity supply chain risk management roles
+        and responsibilities for third parties
+
+        Ex8: Establish rules and protocols for information sharing and reporting processes
+        between the organization and its suppliers
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-03
+      description: Cybersecurity supply chain risk management is integrated into cybersecurity
+        and enterprise risk management, risk assessment, and improvement processes
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03
+      name: Examples
+      description: 'Ex1: Identify areas of alignment and overlap with cybersecurity
+        and enterprise risk management
+
+        Ex2: Establish integrated control sets for cybersecurity risk management and
+        cybersecurity supply chain risk management
+
+        Ex3: Integrate cybersecurity supply chain risk management into improvement
+        processes
+
+        Ex4: Escalate material cybersecurity risks in supply chains to senior management,
+        and address them at the enterprise risk management level
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-04
+      description: Suppliers are known and prioritized by criticality
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04
+      name: Examples
+      description: 'Ex1: Develop criteria for supplier criticality based on, for example,
+        the sensitivity of data processed or possessed by suppliers, the degree of
+        access to the organization''s systems, and the importance of the products
+        or services to the organization''s mission
+
+        Ex2: Keep a record of all suppliers, and prioritize suppliers based on the
+        criticality criteria
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-05
+      description: Requirements to address cybersecurity risks in supply chains are
+        established, prioritized, and integrated into contracts and other types of
+        agreements with suppliers and other relevant third parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05
+      name: Examples
+      description: 'Ex1: Establish security requirements for suppliers, products,
+        and services commensurate with their criticality level and potential impact
+        if compromised
+
+        Ex2: Include all cybersecurity and supply chain requirements that third parties
+        must follow and how compliance with the requirements may be verified in default
+        contractual language
+
+        Ex3: Define the rules and protocols for information sharing between the organization
+        and its suppliers and sub-tier suppliers in agreements
+
+        Ex4: Manage risk by including security requirements in agreements based on
+        their criticality and potential impact if compromised
+
+        Ex5: Define security requirements in service-level agreements (SLAs) for monitoring
+        suppliers for acceptable security performance throughout the supplier relationship
+        lifecycle
+
+        Ex6: Contractually require suppliers to disclose cybersecurity features, functions,
+        and vulnerabilities of their products and services for the life of the product
+        or the term of service
+
+        Ex7: Contractually require suppliers to provide and maintain a current component
+        inventory (e.g., software or hardware bill of materials) for critical products
+
+        Ex8: Contractually require suppliers to vet their employees and guard against
+        insider threats
+
+        Ex9: Contractually require suppliers to provide evidence of performing acceptable
+        security practices through, for example, self-attestation, conformance to
+        known standards, certifications, or inspections
+
+        Ex10: Specify in contracts and other agreements the rights and responsibilities
+        of the organization, its suppliers, and their supply chains, with respect
+        to potential cybersecurity risks
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-06
+      description: Planning and due diligence are performed to reduce risks before
+        entering into formal supplier or other third-party relationships
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06
+      name: Examples
+      description: 'Ex1: Perform thorough due diligence on prospective suppliers that
+        is consistent with procurement planning and commensurate with the level of
+        risk, criticality, and complexity of each supplier relationship
+
+        Ex2: Assess the suitability of the technology and cybersecurity capabilities
+        and the risk management practices of prospective suppliers
+
+        Ex3: Conduct supplier risk assessments against business and applicable cybersecurity
+        requirements
+
+        Ex4: Assess the authenticity, integrity, and security of critical products
+        prior to acquisition and use
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-07
+      description: The risks posed by a supplier, their products and services, and
+        other third parties are understood, recorded, prioritized, assessed, responded
+        to, and monitored over the course of the relationship
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07
+      name: Examples
+      description: 'Ex1: Adjust assessment formats and frequencies based on the third
+        party''s reputation and the criticality of the products or services they provide
+
+        Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity
+        requirements, such as self-attestations, warranties, certifications, and other
+        artifacts
+
+        Ex3: Monitor critical suppliers to ensure that they are fulfilling their security
+        obligations throughout the supplier relationship lifecycle using a variety
+        of methods and techniques, such as inspections, audits, tests, or other forms
+        of evaluation
+
+        Ex4: Monitor critical suppliers, services, and products for changes to their
+        risk profiles, and reevaluate supplier criticality and risk impact accordingly
+
+        Ex5: Plan for unexpected supplier and supply chain-related interruptions to
+        ensure business continuity
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-08
+      description: Relevant suppliers and other third parties are included in incident
+        planning, response, and recovery activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08
+      name: Examples
+      description: 'Ex1: Define and use rules and protocols for reporting incident
+        response and recovery activities and the status between the organization and
+        its suppliers
+
+        Ex2: Identify and document the roles and responsibilities of the organization
+        and its suppliers for incident response
+
+        Ex3: Include critical suppliers in incident response exercises and simulations
+
+        Ex4: Define and coordinate crisis communication methods and protocols between
+        the organization and its critical suppliers
+
+        Ex5: Conduct collaborative lessons learned sessions with critical suppliers
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-09
+      description: Supply chain security practices are integrated into cybersecurity
+        and enterprise risk management programs, and their performance is monitored
+        throughout the technology product and service life cycle
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09
+      name: Examples
+      description: 'Ex1: Policies and procedures require provenance records for all
+        acquired technology products and services
+
+        Ex2: Periodically provide risk reporting to leaders about how acquired components
+        are proven to be untampered and authentic
+
+        Ex3: Communicate regularly among cybersecurity risk managers and operations
+        personnel about the need to acquire software patches, updates, and upgrades
+        only from authenticated and trustworthy software providers
+
+        Ex4: Review policies to ensure that they require approved supplier personnel
+        to perform maintenance on supplier products
+
+        Ex5: Policies and procedure require checking upgrades to critical hardware
+        for unauthorized changes
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-10
+      description: Cybersecurity supply chain risk management plans include provisions
+        for activities that occur after the conclusion of a partnership or service
+        agreement
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10
+      name: Examples
+      description: 'Ex1: Establish processes for terminating critical relationships
+        under both normal and adverse circumstances
+
+        Ex2: Define and implement plans for component end-of-life maintenance support
+        and obsolescence
+
+        Ex3: Verify that supplier access to organization resources is deactivated
+        promptly when it is no longer needed
+
+        Ex4: Verify that assets containing the organization''s data are returned or
+        properly disposed of in a timely, controlled, and safe manner
+
+        Ex5: Develop and execute a plan for terminating or transitioning supplier
+        relationships that takes supply chain security risk and resiliency into account
+
+        Ex6: Mitigate risks to data and systems created by supplier termination
+
+        Ex7: Manage data leakage risks associated with supplier termination
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      assessable: false
+      depth: 1
+      ref_id: ID
+      name: IDENTIFY
+      description: The organization's current cybersecurity risks are understood
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      ref_id: ID.AM
+      name: Asset Management
+      description: Assets (e.g., data, hardware, software, systems, facilities, services,
+        people) that enable the organization to achieve business purposes are identified
+        and managed consistent with their relative importance to organizational objectives
+        and the organization's risk strategy
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-01
+      description: Inventories of hardware managed by the organization are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT,
+        and mobile devices
+
+        Ex2: Constantly monitor networks to detect new hardware and automatically
+        update inventories'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-02
+      description: Inventories of software, services, and systems managed by the organization
+        are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Maintain inventories for all types of software and services, including
+        commercial-off-the-shelf, open-source, custom applications, API services,
+        and cloud-based applications and services
+
+        Ex2: Constantly monitor all platforms, including containers and virtual machines,
+        for software and service inventory changes
+
+        Ex3: Maintain an inventory of the organization''s systems'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-03
+      description: Representations of the organization's authorized network communication
+        and internal and external network data flows are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Maintain baselines of communication and data flows within the organization''s
+        wired and wireless networks
+
+        Ex2: Maintain baselines of communication and data flows between the organization
+        and third parties
+
+        Ex3: Maintain baselines of communication and data flows for the organization''s
+        infrastructure-as-a-service (IaaS) usage
+
+        Ex4: Maintain documentation of expected network ports, protocols, and services
+        that are typically used among authorized systems'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-04
+      description: Inventories of services provided by suppliers are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04
+      name: Examples
+      description: 'Ex1: Inventory all external services used by the organization,
+        including third-party infrastructure-as-a-service (IaaS), platform-as-a-service
+        (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally
+        hosted application services
+
+        Ex2: Update the inventory when a new external service is going to be utilized
+        to ensure adequate cybersecurity risk management monitoring of the organization''s
+        use of that service
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-05
+      description: Assets are prioritized based on classification, criticality, resources,
+        and impact on the mission
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Define criteria for prioritizing each class of assets
+
+        Ex2: Apply the prioritization criteria to assets
+
+        Ex3: Track the asset priorities and update them periodically or when significant
+        changes to the organization occur'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-07
+      description: Inventories of data and corresponding metadata for designated data
+        types are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Maintain a list of the designated data types of interest (e.g., personally
+        identifiable information, protected health information, financial account
+        numbers, organization intellectual property, operational technology data)
+
+        Ex2: Continuously discover and analyze ad hoc data to identify new instances
+        of designated data types
+
+        Ex3: Assign data classifications to designated data types through tags or
+        labels
+
+        Ex4: Track the provenance, data owner, and geolocation of each instance of
+        designated data types'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-08
+      description: Systems, hardware, software, services, and data are managed throughout
+        their life cycles
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Integrate cybersecurity considerations throughout the life cycles of
+        systems, hardware, software, and services
+
+        Ex2: Integrate cybersecurity considerations into product life cycles
+
+        Ex3: Identify unofficial uses of technology to meet mission objectives (i.e.,
+        shadow IT)
+
+        Ex4: Periodically identify redundant systems, hardware, software, and services
+        that unnecessarily increase the organization''s attack surface
+
+        Ex5: Properly configure and secure systems, hardware, software, and services
+        prior to their deployment in production
+
+        Ex6: Update inventories when systems, hardware, software, and services are
+        moved or transferred within the organization
+
+        Ex7: Securely destroy stored data based on the organization''s data retention
+        policy using the prescribed destruction method, and keep and manage a record
+        of the destructions
+
+        Ex8: Securely sanitize data storage when hardware is being retired, decommissioned,
+        reassigned, or sent for repairs or replacement
+
+        Ex9: Offer methods for destroying paper, storage media, and other physical
+        forms of data storage'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      ref_id: ID.RA
+      name: Risk Assessment
+      description: The cybersecurity risk to the organization, assets, and individuals
+        is understood by the organization
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-01
+      description: Vulnerabilities in assets are identified, validated, and recorded
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use vulnerability management technologies to identify unpatched and misconfigured
+        software
+
+        Ex2: Assess network and system architectures for design and implementation
+        weaknesses that affect cybersecurity
+
+        Ex3: Review, analyze, or test organization-developed software to identify
+        design, coding, and default configuration vulnerabilities
+
+        Ex4: Assess facilities that house critical computing assets for physical vulnerabilities
+        and resilience issues
+
+        Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities
+        in products and services
+
+        Ex6: Review processes and procedures for weaknesses that could be exploited
+        to affect cybersecurity'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-02
+      description: Cyber threat intelligence is received from information sharing
+        forums and sources
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Configure cybersecurity tools and technologies with detection or response
+        capabilities to securely ingest cyber threat intelligence feeds
+
+        Ex2: Receive and review advisories from reputable third parties on current
+        threat actors and their tactics, techniques, and procedures (TTPs)
+
+        Ex3: Monitor sources of cyber threat intelligence for information on the types
+        of vulnerabilities that emerging technologies may have'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-03
+      description: Internal and external threats to the organization are identified
+        and recorded
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Use cyber threat intelligence to maintain awareness of the types of threat
+        actors likely to target the organization and the TTPs they are likely to use
+
+        Ex2: Perform threat hunting to look for signs of threat actors within the
+        environment
+
+        Ex3: Implement processes for identifying internal threat actors'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-04
+      description: Potential impacts and likelihoods of threats exploiting vulnerabilities
+        are identified and recorded
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Business leaders and cybersecurity risk management practitioners work
+        together to estimate the likelihood and impact of risk scenarios and record
+        them in risk registers
+
+        Ex2: Enumerate the potential business impacts of unauthorized access to the
+        organization''s communications, systems, and data processed in or by those
+        systems
+
+        Ex3: Account for the potential impacts of cascading failures for systems of
+        systems'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-05
+      description: Threats, vulnerabilities, likelihoods, and impacts are used to
+        understand inherent risk and inform risk response prioritization
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Develop threat models to better understand risks to the data and identify
+        appropriate risk responses
+
+        Ex2: Prioritize cybersecurity resource allocations and investments based on
+        estimated likelihoods and impacts'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-06
+      description: Risk responses are chosen, prioritized, planned, tracked, and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Apply the vulnerability management plan''s criteria for deciding whether
+        to accept, transfer, mitigate, or avoid risk
+
+        Ex2: Apply the vulnerability management plan''s criteria for selecting compensating
+        controls to mitigate risk
+
+        Ex3: Track the progress of risk response implementation (e.g., plan of action
+        and milestones [POA&M], risk register, risk detail report)
+
+        Ex4: Use risk assessment findings to inform risk response decisions and actions
+
+        Ex5: Communicate planned risk responses to affected stakeholders in priority
+        order'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-07
+      description: Changes and exceptions are managed, assessed for risk impact, recorded,
+        and tracked
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07
+      name: Examples
+      description: 'Ex1: Implement and follow procedures for the formal documentation,
+        review, testing, and approval of proposed changes and requested exceptions
+
+        Ex2: Document the possible risks of making or not making each proposed change,
+        and provide guidance on rolling back changes
+
+        Ex3: Document the risks related to each requested exception and the plan for
+        responding to those risks
+
+        Ex4: Periodically review risks that were accepted based upon planned future
+        actions or milestones'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-08
+      description: Processes for receiving, analyzing, and responding to vulnerability
+        disclosures are established
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Conduct vulnerability information sharing between the organization and
+        its suppliers following the rules and protocols defined in contracts
+
+        Ex2: Assign responsibilities and verify the execution of procedures for processing,
+        analyzing the impact of, and responding to cybersecurity threat, vulnerability,
+        or incident disclosures by suppliers, customers, partners, and government
+        cybersecurity organizations'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-09
+      description: The authenticity and integrity of hardware and software are assessed
+        prior to acquisition and use
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09
+      name: Examples
+      description: 'Ex1: Assess the authenticity and cybersecurity of critical technology
+        products and services prior to acquisition and use
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-10
+      description: Critical suppliers are assessed prior to acquisition
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10
+      name: Examples
+      description: 'Ex1: Conduct supplier risk assessments against business and applicable
+        cybersecurity requirements, including the supply chain'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      ref_id: ID.IM
+      name: Improvement
+      description: Improvements to organizational cybersecurity risk management processes,
+        procedures and activities are identified across all CSF Functions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-01
+      description: Improvements are identified from evaluations
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Perform self-assessments of critical services that take current threats
+        and TTPs into consideration
+
+        Ex2: Invest in third-party assessments or independent audits of the effectiveness
+        of the organization''s cybersecurity program to identify areas that need improvement
+
+        Ex3: Constantly evaluate compliance with selected cybersecurity requirements
+        through automated means'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-02
+      description: Improvements are identified from security tests and exercises,
+        including those done in coordination with suppliers and relevant third parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Identify improvements for future incident response activities based on
+        findings from incident response assessments (e.g., tabletop exercises and
+        simulations, tests, internal reviews, independent audits)
+
+        Ex2: Identify improvements for future business continuity, disaster recovery,
+        and incident response activities based on exercises performed in coordination
+        with critical service providers and product suppliers
+
+        Ex3: Involve internal stakeholders (e.g., senior executives, legal department,
+        HR) in security tests and exercises as appropriate
+
+        Ex4: Perform penetration testing to identify opportunities to improve the
+        security posture of selected high-risk systems as approved by leadership
+
+        Ex5: Exercise contingency plans for responding to and recovering from the
+        discovery that products or services did not originate with the contracted
+        supplier or partner or were altered before receipt
+
+        Ex6: Collect and analyze performance metrics using security tools and services
+        to inform improvements to the cybersecurity program'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-03
+      description: Improvements are identified from execution of operational processes,
+        procedures, and activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Conduct collaborative lessons learned sessions with suppliers
+
+        Ex2: Annually review cybersecurity policies, processes, and procedures to
+        take lessons learned into account
+
+        Ex3: Use metrics to assess operational cybersecurity performance over time'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-04
+      description: Incident response plans and other cybersecurity plans that affect
+        operations are established, communicated, maintained, and improved
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Establish contingency plans (e.g., incident response, business continuity,
+        disaster recovery) for responding to and recovering from adverse events that
+        can interfere with operations, expose confidential information, or otherwise
+        endanger the organization''s mission and viability
+
+        Ex2: Include contact and communication information, processes for handling
+        common scenarios, and criteria for prioritization, escalation, and elevation
+        in all contingency plans
+
+        Ex3: Create a vulnerability management plan to identify and assess all types
+        of vulnerabilities and to prioritize, test, and implement risk responses
+
+        Ex4: Communicate cybersecurity plans (including updates) to those responsible
+        for carrying them out and to affected parties
+
+        Ex5: Review and update all cybersecurity plans annually or when a need for
+        significant improvements is identified'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      assessable: false
+      depth: 1
+      ref_id: PR
+      name: PROTECT
+      description: Safeguards to manage the organization's cybersecurity risks are
+        used
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.AA
+      name: Identity Management, Authentication, and Access Control
+      description: Access to physical and logical assets is limited to authorized
+        users, services, and hardware and  managed commensurate with the assessed
+        risk of unauthorized access
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-01
+      description: Identities and credentials for authorized users, services, and
+        hardware are managed by the organization
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Initiate requests for new access or additional access for employees,
+        contractors, and others, and track, review, and fulfill the requests, with
+        permission from system or data owners when needed
+
+        Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens,
+        cryptographic keys (i.e., key management), and other credentials
+
+        Ex3: Select a unique identifier for each device from immutable hardware characteristics
+        or an identifier securely provisioned to the device
+
+        Ex4: Physically label authorized hardware with an identifier for inventory
+        and servicing purposes'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-02
+      description: Identities are proofed and bound to credentials based on the context
+        of interactions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Verify a person''s claimed identity at enrollment time using government-issued
+        identity credentials (e.g., passport, visa, driver''s license)
+
+        Ex2: Issue a different credential for each person (i.e., no credential sharing)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-03
+      description: Users, services, and hardware are authenticated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Require multifactor authentication
+
+        Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar
+        authenticators
+
+        Ex3: Periodically reauthenticate users, services, and hardware based on risk
+        (e.g., in zero trust architectures)
+
+        Ex4: Ensure that authorized personnel can access accounts essential for protecting
+        safety under emergency conditions'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-04
+      description: Identity assertions are protected, conveyed, and verified
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Protect identity assertions that are used to convey authentication and
+        user information through single sign-on systems
+
+        Ex2: Protect identity assertions that are used to convey authentication and
+        user information between federated systems
+
+        Ex3: Implement standards-based approaches for identity assertions in all contexts,
+        and follow all guidance for the generation (e.g., data models, metadata),
+        protection (e.g., digital signing, encryption), and verification (e.g., signature
+        validation) of identity assertions'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-05
+      description: Access permissions, entitlements, and authorizations are defined
+        in a policy, managed, enforced, and reviewed, and incorporate the principles
+        of least privilege and separation of duties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review logical and physical access privileges periodically and whenever
+        someone changes roles or leaves the organization, and promptly rescind privileges
+        that are no longer needed
+
+        Ex2: Take attributes of the requester and the requested resource into account
+        for authorization decisions (e.g., geolocation, day/time, requester endpoint''s
+        cyber health)
+
+        Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust
+        architecture)
+
+        Ex4: Periodically review the privileges associated with critical business
+        functions to confirm proper separation of duties'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-06
+      description: Physical access to assets is managed, monitored, and enforced commensurate
+        with risk
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Use security guards, security cameras, locked entrances, alarm systems,
+        and other physical controls to monitor facilities and restrict access
+
+        Ex2: Employ additional physical security controls for areas that contain high-risk
+        assets
+
+        Ex3: Escort guests, vendors, and other third parties within areas that contain
+        business-critical assets'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.AT
+      name: Awareness and Training
+      description: The organization's personnel are provided with cybersecurity awareness
+        and training so that they can perform their cybersecurity-related tasks
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at
+      ref_id: PR.AT-01
+      description: Personnel are provided with awareness and training so that they
+        possess the knowledge and skills to perform general tasks with cybersecurity
+        risks in mind
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Provide basic cybersecurity awareness and training to employees, contractors,
+        partners, suppliers, and all other users of the organization''s non-public
+        resources
+
+        Ex2: Train personnel to recognize social engineering attempts and other common
+        attacks, report attacks and suspicious activity, comply with acceptable use
+        policies, and perform basic cyber hygiene tasks (e.g., patching software,
+        choosing passwords, protecting credentials)
+
+        Ex3: Explain the consequences of cybersecurity policy violations, both to
+        individual users and the organization as a whole
+
+        Ex4: Periodically assess or test users on their understanding of basic cybersecurity
+        practices
+
+        Ex5: Require annual refreshers to reinforce existing practices and introduce
+        new practices'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at
+      ref_id: PR.AT-02
+      description: Individuals in specialized roles are provided with awareness and
+        training so that they possess the knowledge and skills to perform relevant
+        tasks with cybersecurity risks in mind
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Identify the specialized roles within the organization that require additional
+        cybersecurity training, such as physical and cybersecurity personnel, finance
+        personnel, senior leadership, and anyone with access to business-critical
+        data
+
+        Ex2: Provide role-based cybersecurity awareness and training to all those
+        in specialized roles, including contractors, partners, suppliers, and other
+        third parties
+
+        Ex3: Periodically assess or test users on their understanding of cybersecurity
+        practices for their specialized roles
+
+        Ex4: Require annual refreshers to reinforce existing practices and introduce
+        new practices'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.DS
+      name: Data Security
+      description: Data are managed consistent with the organization's risk strategy
+        to protect the confidentiality, integrity, and availability of information
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-01
+      description: The confidentiality, integrity, and availability of data-at-rest
+        are protected
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use encryption, digital signatures, and cryptographic hashes to protect
+        the confidentiality and integrity of stored data in files, databases, virtual
+        machine disk images, container images, and other resources
+
+        Ex2: Use full disk encryption to protect data stored on user endpoints
+
+        Ex3: Confirm the integrity of software by validating signatures
+
+        Ex4: Restrict the use of removable media to prevent data exfiltration
+
+        Ex5: Physically secure removable media containing unencrypted sensitive information,
+        such as within locked offices or file cabinets'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-02
+      description: The confidentiality, integrity, and availability of data-in-transit
+        are protected
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use encryption, digital signatures, and cryptographic hashes to protect
+        the confidentiality and integrity of network communications
+
+        Ex2: Automatically encrypt or block outbound emails and other communications
+        that contain sensitive data, depending on the data classification
+
+        Ex3: Block access to personal email, file sharing, file storage services,
+        and other personal communications applications and services from organizational
+        systems and networks
+
+        Ex4: Prevent reuse of sensitive data from production environments (e.g., customer
+        records) in development, testing, and other non-production environments'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-10
+      description: The confidentiality, integrity, and availability of data-in-use
+        are protected
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Remove data that must remain confidential (e.g., from processors and
+        memory) as soon as it is no longer needed
+
+        Ex2: Protect data in use from access by other users and processes of the same
+        platform'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-11
+      description: Backups of data are created, protected, maintained, and tested
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Continuously back up critical data in near-real-time, and back up other
+        data frequently at agreed-upon schedules
+
+        Ex2: Test backups and restores for all types of data sources at least annually
+
+        Ex3: Securely store some backups offline and offsite so that an incident or
+        disaster will not damage them
+
+        Ex4: Enforce geographic separation and geolocation restrictions for data backup
+        storage'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.PS
+      name: Platform Security
+      description: The hardware, software (e.g., firmware, operating systems, applications),
+        and services of physical and virtual platforms are managed consistent with
+        the organization's risk strategy to protect their confidentiality, integrity,
+        and availability
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-01
+      description: Configuration management practices are established and applied
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Establish, test, deploy, and maintain hardened baselines that enforce
+        the organization''s cybersecurity policies and provide only essential capabilities
+        (i.e., principle of least functionality)
+
+        Ex2: Review all default configuration settings that may potentially impact
+        cybersecurity when installing or upgrading software
+
+        Ex3: Monitor implemented software for deviations from approved baselines'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-02
+      description: Software is maintained, replaced, and removed commensurate with
+        risk
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Perform routine and emergency patching within the timeframes specified
+        in the vulnerability management plan
+
+        Ex2: Update container images, and deploy new container instances to replace
+        rather than update existing instances
+
+        Ex3: Replace end-of-life software and service versions with supported, maintained
+        versions
+
+        Ex4: Uninstall and remove unauthorized software and services that pose undue
+        risks
+
+        Ex5: Uninstall and remove any unnecessary software components (e.g., operating
+        system utilities) that attackers might misuse
+
+        Ex6: Define and implement plans for software and service end-of-life maintenance
+        support and obsolescence'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-03
+      description: Hardware is maintained, replaced, and removed commensurate with
+        risk
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Replace hardware when it lacks needed security capabilities or when it
+        cannot support software with needed security capabilities
+
+        Ex2: Define and implement plans for hardware end-of-life maintenance support
+        and obsolescence
+
+        Ex3: Perform hardware disposal in a secure, responsible, and auditable manner'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-04
+      description: Log records are generated and made available for continuous monitoring
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Configure all operating systems, applications, and services (including
+        cloud-based services) to generate log records
+
+        Ex2: Configure log generators to securely share their logs with the organization''s
+        logging infrastructure systems and services
+
+        Ex3: Configure log generators to record the data needed by zero-trust architectures'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-05
+      description: Installation and execution of unauthorized software are prevented
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: When risk warrants it, restrict software execution to permitted products
+        only or deny the execution of prohibited and unauthorized software
+
+        Ex2: Verify the source of new software and the software''s integrity before
+        installing it
+
+        Ex3: Configure platforms to use only approved DNS services that block access
+        to known malicious domains
+
+        Ex4: Configure platforms to allow the installation of organization-approved
+        software only'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-06
+      description: Secure software development practices are integrated, and their
+        performance is monitored throughout the software development life cycle
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Protect all components of organization-developed software from tampering
+        and unauthorized access
+
+        Ex2: Secure all software produced by the organization, with minimal vulnerabilities
+        in their releases
+
+        Ex3: Maintain the software used in production environments, and securely dispose
+        of software once it is no longer needed'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.IR
+      name: Technology Infrastructure Resilience
+      description: Security architectures are managed with the organization's risk
+        strategy to protect asset confidentiality, integrity, and availability, and
+        organizational resilience
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-01
+      description: Networks and environments are protected from unauthorized logical
+        access and usage
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Logically segment organization networks and cloud-based platforms according
+        to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests),
+        and permit required communications only between segments
+
+        Ex2: Logically segment organization networks from external networks, and permit
+        only necessary communications to enter the organization''s networks from the
+        external networks
+
+        Ex3: Implement zero trust architectures to restrict network access to each
+        resource to the minimum necessary
+
+        Ex4: Check the cyber health of endpoints before allowing them to access and
+        use production resources'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-02
+      description: The organization's technology assets are protected from environmental
+        threats
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Protect organizational equipment from known environmental threats, such
+        as flooding, fire, wind, and excessive heat and humidity
+
+        Ex2: Include protection from environmental threats and provisions for adequate
+        operating infrastructure in requirements for service providers that operate
+        systems on the organization''s behalf'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-03
+      description: Mechanisms are implemented to achieve resilience requirements in
+        normal and adverse situations
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Avoid single points of failure in systems and infrastructure
+
+        Ex2: Use load balancing to increase capacity and improve reliability
+
+        Ex3: Use high-availability components like redundant storage and power supplies
+        to improve system reliability'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-04
+      description: Adequate resource capacity to ensure availability is maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04
+      name: Examples
+      description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth,
+        and other resources
+
+        Ex2: Forecast future needs, and scale resources accordingly'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de
+      assessable: false
+      depth: 1
+      ref_id: DE
+      name: DETECT
+      description: Possible cybersecurity attacks and compromises are found and analyzed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de
+      ref_id: DE.CM
+      name: Continuous Monitoring
+      description: Assets are monitored to find anomalies, indicators of compromise,
+        and other potentially adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-01
+      description: Networks and network services are monitored to find potentially
+        adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01
+      name: Examples
+      description: 'Ex1: Monitor DNS, BGP, and other network services for adverse
+        events
+
+        Ex2: Monitor wired and wireless networks for connections from unauthorized
+        endpoints
+
+        Ex3: Monitor facilities for unauthorized or rogue wireless networks
+
+        Ex4: Compare actual network flows against baselines to detect deviations
+
+        Ex5: Monitor network communications to identify changes in security postures
+        for zero trust purposes
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-02
+      description: The physical environment is monitored to find potentially adverse
+        events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02
+      name: Examples
+      description: 'Ex1: Monitor logs from physical access control systems (e.g.,
+        badge readers) to find unusual access patterns (e.g., deviations from the
+        norm) and failed access attempts
+
+        Ex2: Review and monitor physical access records (e.g., from visitor registration,
+        sign-in sheets)
+
+        Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms)
+        for signs of tampering
+
+        Ex4: Monitor the physical environment using alarm systems, cameras, and security
+        guards
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-03
+      description: Personnel activity and technology usage are monitored to find potentially
+        adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03
+      name: Examples
+      description: 'Ex1: Use behavior analytics software to detect anomalous user
+        activity to mitigate insider threats
+
+        Ex2: Monitor logs from logical access control systems to find unusual access
+        patterns and failed access attempts
+
+        Ex3: Continuously monitor deception technology, including user accounts, for
+        any usage
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-06
+      description: External service provider activities and services are monitored
+        to find potentially adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06
+      name: Examples
+      description: 'Ex1: Monitor remote and onsite administration and maintenance
+        activities that external providers perform on organizational systems
+
+        Ex2: Monitor activity from cloud-based services, internet service providers,
+        and other service providers for deviations from expected behavior
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-09
+      description: Computing hardware and software, runtime environments, and their
+        data are monitored to find potentially adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09
+      name: Examples
+      description: 'Ex1: Monitor email, web, file sharing, collaboration services,
+        and other common attack vectors to detect malware, phishing, data leaks and
+        exfiltration, and other adverse events
+
+        Ex2: Monitor authentication attempts to identify attacks against credentials
+        and unauthorized credential reuse
+
+        Ex3: Monitor software configurations for deviations from security baselines
+
+        Ex4: Monitor hardware and software for signs of tampering
+
+        Ex5: Use technologies with a presence on endpoints to detect cyber health
+        issues (e.g., missing patches, malware infections, unauthorized software),
+        and redirect the endpoints to a remediation environment before access is authorized
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de
+      ref_id: DE.AE
+      name: Adverse Event Analysis
+      description: Anomalies, indicators of compromise, and other potentially adverse
+        events are analyzed to characterize the events and detect cybersecurity incidents
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-02
+      description: Potentially adverse events are analyzed to better understand associated
+        activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02
+      name: Examples
+      description: 'Ex1: Use security information and event management (SIEM) or other
+        tools to continuously monitor log events for known malicious and suspicious
+        activity
+
+        Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to
+        improve detection accuracy and characterize threat actors, their methods,
+        and indicators of compromise
+
+        Ex3: Regularly conduct manual reviews of log events for technologies that
+        cannot be sufficiently monitored through automation
+
+        Ex4: Use log analysis tools to generate reports on their findings
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-03
+      description: Information is correlated from multiple sources
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03
+      name: Examples
+      description: 'Ex1: Constantly transfer log data generated by other sources to
+        a relatively small number of log servers
+
+        Ex2: Use event correlation technology (e.g., SIEM) to collect information
+        captured by multiple sources
+
+        Ex3: Utilize cyber threat intelligence to help correlate events among log
+        sources
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-04
+      description: The estimated impact and scope of adverse events are understood
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04
+      name: Examples
+      description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and
+        review and refine the estimates
+
+        Ex2: A person creates their own estimates of impact and scope
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-06
+      description: Information on adverse events is provided to authorized staff and
+        tools
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06
+      name: Examples
+      description: 'Ex1: Use cybersecurity software to generate alerts and provide
+        them to the security operations center (SOC), incident responders, and incident
+        response tools
+
+        Ex2: Incident responders and other authorized personnel can access log analysis
+        findings at all times
+
+        Ex3: Automatically create and assign tickets in the organization''s ticketing
+        system when certain types of alerts occur
+
+        Ex4: Manually create and assign tickets in the organization''s ticketing system
+        when technical staff discover indicators of compromise
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-07
+      description: Cyber threat intelligence and other contextual information are
+        integrated into the analysis
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07
+      name: Examples
+      description: 'Ex1: Securely provide cyber threat intelligence feeds to detection
+        technologies, processes, and personnel
+
+        Ex2: Securely provide information from asset inventories to detection technologies,
+        processes, and personnel
+
+        Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s
+        technologies from suppliers, vendors, and third-party security advisories
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-08
+      description: Incidents are declared when adverse events meet the defined incident
+        criteria
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08
+      name: Examples
+      description: 'Ex1: Apply incident criteria to known and assumed characteristics
+        of activity in order to determine whether an incident should be declared
+
+        Ex2: Take known false positives into account when applying incident criteria
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      assessable: false
+      depth: 1
+      ref_id: RS
+      name: RESPOND
+      description: Actions regarding a detected cybersecurity incident are taken
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.MA
+      name: Incident Management
+      description: Responses to detected cybersecurity incidents are managed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-01
+      description: The incident response plan is executed in coordination with relevant
+        third parties once an incident is declared
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01
+      name: Examples
+      description: 'Ex1: Detection technologies automatically report confirmed incidents
+
+        Ex2: Request incident response assistance from the organization''s incident
+        response outsourcer
+
+        Ex3: Designate an incident lead for each incident
+
+        Ex4: Initiate execution of additional cybersecurity plans as needed to support
+        incident response (for example, business continuity and disaster recovery)
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-02
+      description: Incident reports are triaged and validated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related
+        and necessitate incident response activities
+
+        Ex2: Apply criteria to estimate the severity of an incident'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-03
+      description: Incidents are categorized and prioritized
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Further review and categorize incidents based on the type of incident
+        (e.g., data breach, ransomware, DDoS, account compromise)
+
+        Ex2: Prioritize incidents based on their scope, likely impact, and time-critical
+        nature
+
+        Ex3: Select incident response strategies for active incidents by balancing
+        the need to quickly recover from an incident with the need to observe the
+        attacker or conduct a more thorough investigation'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-04
+      description: Incidents are escalated or elevated as needed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Track and validate the status of all ongoing incidents
+
+        Ex2: Coordinate incident escalation or elevation with designated internal
+        and external stakeholders'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-05
+      description: The criteria for initiating incident recovery are applied
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Apply incident recovery criteria to known and assumed characteristics
+        of the incident to determine whether incident recovery processes should be
+        initiated
+
+        Ex2: Take the possible operational disruption of incident recovery activities
+        into account'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.AN
+      name: Incident Analysis
+      description: Investigations are conducted to ensure effective response and support
+        forensics and recovery activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-03
+      description: Analysis is performed to establish what has taken place during
+        an incident and the root cause of the incident
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Determine the sequence of events that occurred during the incident and
+        which assets and resources were involved in each event
+
+        Ex2: Attempt to determine what vulnerabilities, threats, and threat actors
+        were directly or indirectly involved in the incident
+
+        Ex3: Analyze the incident to find the underlying, systemic root causes
+
+        Ex4: Check any cyber deception technology for additional information on attacker
+        behavior'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-06
+      description: Actions performed during an investigation are recorded, and the
+        records' integrity and provenance are preserved
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Require each incident responder and others (e.g., system administrators,
+        cybersecurity engineers) who perform incident response tasks to record their
+        actions and make the record immutable
+
+        Ex2: Require the incident lead to document the incident in detail and be responsible
+        for preserving the integrity of the documentation and the sources of all information
+        being reported'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-07
+      description: Incident data and metadata are collected, and their integrity and
+        provenance are preserved
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident
+        data and metadata (e.g., data source, date/time of collection) based on evidence
+        preservation and chain-of-custody procedures'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-08
+      description: An incident's magnitude is estimated and validated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review other potential targets of the incident to search for indicators
+        of compromise and evidence of persistence
+
+        Ex2: Automatically run tools on targets to look for indicators of compromise
+        and evidence of persistence'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.CO
+      name: Incident Response Reporting and Communication
+      description: Response activities are coordinated with internal and external
+        stakeholders as required by laws, regulations, or policies
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co
+      ref_id: RS.CO-02
+      description: Internal and external stakeholders are notified of incidents
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Follow the organization''s breach notification procedures after discovering
+        a data breach incident, including notifying affected customers
+
+        Ex2: Notify business partners and customers of incidents in accordance with
+        contractual requirements
+
+        Ex3: Notify law enforcement agencies and regulatory bodies of incidents based
+        on criteria in the incident response plan and management approval'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co
+      ref_id: RS.CO-03
+      description: Information is shared with designated internal and external stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Securely share information consistent with response plans and information
+        sharing agreements
+
+        Ex2: Voluntarily share information about an attacker''s observed TTPs, with
+        all sensitive data removed, with an Information Sharing and Analysis Center
+        (ISAC)
+
+        Ex3: Notify HR when malicious insider activity occurs
+
+        Ex4: Regularly update senior leadership on the status of major incidents
+
+        Ex5: Follow the rules and protocols defined in contracts for incident information
+        sharing between the organization and its suppliers
+
+        Ex6: Coordinate crisis communication methods between the organization and
+        its critical suppliers'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.MI
+      name: Incident Mitigation
+      description: Activities are performed to prevent expansion of an event and mitigate
+        its effects
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi
+      ref_id: RS.MI-01
+      description: Incidents are contained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity
+        features of other technologies (e.g., operating systems, network infrastructure
+        devices) automatically perform containment actions
+
+        Ex2: Allow incident responders to manually select and perform containment
+        actions
+
+        Ex3: Allow a third party (e.g., internet service provider, managed security
+        service provider) to perform containment actions on behalf of the organization
+
+        Ex4: Automatically transfer compromised endpoints to a remediation virtual
+        local area network (VLAN)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi
+      ref_id: RS.MI-02
+      description: Incidents are eradicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Cybersecurity technologies and cybersecurity features of other technologies
+        (e.g., operating systems, network infrastructure devices) automatically perform
+        eradication actions
+
+        Ex2: Allow incident responders to manually select and perform eradication
+        actions
+
+        Ex3: Allow a third party (e.g., managed security service provider) to perform
+        eradication actions on behalf of the organization'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc
+      assessable: false
+      depth: 1
+      ref_id: RC
+      name: RECOVER
+      description: Assets and operations affected by a cybersecurity incident are
+        restored
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc
+      ref_id: RC.RP
+      name: Incident Recovery Plan Execution
+      description: Restoration activities are performed to ensure operational availability
+        of systems and services affected by cybersecurity incidents
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-01
+      description: The recovery portion of the incident response plan is executed
+        once initiated from the incident response process
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Begin recovery procedures during or after incident response processes
+
+        Ex2: Make all individuals with recovery responsibilities aware of the plans
+        for recovery and the authorizations required to implement each aspect of the
+        plans'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-02
+      description: Recovery actions are selected, scoped, prioritized, and performed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Select recovery actions based on the criteria defined in the incident
+        response plan and available resources
+
+        Ex2: Change planned recovery actions based on a reassessment of organizational
+        needs and resources'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-03
+      description: The integrity of backups and other restoration assets is verified
+        before using them for restoration
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Check restoration assets for indicators of compromise, file corruption,
+        and other integrity issues before use'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-04
+      description: Critical mission functions and cybersecurity risk management are
+        considered to establish post-incident operational norms
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use business impact and system categorization records (including service
+        delivery objectives) to validate that essential services are restored in the
+        appropriate order
+
+        Ex2: Work with system owners to confirm the successful restoration of systems
+        and the return to normal operations
+
+        Ex3: Monitor the performance of restored systems to verify the adequacy of
+        the restoration'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-05
+      description: The integrity of restored assets is verified, systems and services
+        are restored, and normal operating status is confirmed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Check restored assets for indicators of compromise and remediation of
+        root causes of the incident before production use
+
+        Ex2: Verify the correctness and adequacy of the restoration actions taken
+        before putting a restored system online'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-06
+      description: The end of incident recovery is declared based on criteria, and
+        incident-related documentation is completed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Prepare an after-action report that documents the incident itself, the
+        response and recovery actions taken, and lessons learned
+
+        Ex2: Declare the end of incident recovery once the criteria are met'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc
+      ref_id: RC.CO
+      name: Incident Recovery Communication
+      description: Restoration activities are coordinated with internal and external
+        parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co
+      ref_id: RC.CO-03
+      description: Recovery activities and progress in restoring operational capabilities
+        are communicated to designated internal and external stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Securely share recovery information, including restoration progress,
+        consistent with response plans and information sharing agreements
+
+        Ex2: Regularly update senior leadership on recovery status and restoration
+        progress for major incidents
+
+        Ex3: Follow the rules and protocols defined in contracts for incident information
+        sharing between the organization and its suppliers
+
+        Ex4: Coordinate crisis communication between the organization and its critical
+        suppliers'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co
+      ref_id: RC.CO-04
+      description: Public updates on incident recovery are shared using approved methods
+        and messaging
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Follow the organization''s breach notification procedures for recovering
+        from a data breach incident
+
+        Ex2: Explain the steps being taken to recover from the incident and to prevent
+        a recurrence'
diff --git a/tools/convert_framework.py b/tools/convert_framework.py
index 027d4ad17..ca8354caa 100644
--- a/tools/convert_framework.py
+++ b/tools/convert_framework.py
@@ -75,6 +75,7 @@
 library_vars_dict = defaultdict(dict)
 library_vars_dict_reverse = defaultdict(dict)
 library_vars_dict_arg = defaultdict(dict)
+urn_unicity_checker = set()
 
 if len(sys.argv) <= 1:
     print("missing input file parameter")
@@ -155,9 +156,12 @@ def read_header(row):
                 annotation = row[header['annotation']].value if 'annotation' in header else None
                 level = row[header['level']].value if 'level' in header else None
                 maturity = row[header['maturity']].value if 'maturity' in header else None
-                ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else \
-                    name.lower().replace(' ', '-') if name else f"node{counter}"
+                ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else f"node{counter}"
                 urn = f"{root_nodes_urn}:{ref_id_urn}"
+                if urn in urn_unicity_checker:
+                    print("URN duplicate:", urn)
+                    exit(1)
+                urn_unicity_checker.add(urn)
                 if depth == current_depth + 1:
                     parent_for_depth[depth]=current_node_urn
                     parent_urn = parent_for_depth[depth]
diff --git a/tools/csf2-tools/csf20.xlsx b/tools/csf2-tools/csf20.xlsx
new file mode 100644
index 000000000..f0d9dda83
Binary files /dev/null and b/tools/csf2-tools/csf20.xlsx differ
diff --git a/tools/csf2-tools/csfv2.py b/tools/csf2-tools/csfv2.py
new file mode 100644
index 000000000..715f7950f
--- /dev/null
+++ b/tools/csf2-tools/csfv2.py
@@ -0,0 +1,87 @@
+import openpyxl
+import sys
+import re
+import yaml
+from pprint import pprint
+from collections import defaultdict
+
+if len(sys.argv) <= 1:
+    print("missing input file parameter")
+    exit()
+input_file_name = sys.argv[1]
+ref_name = re.sub(r"\.\w+$", "", input_file_name).lower()
+output_file_name = ref_name + ".yaml"
+
+print("parsing", input_file_name)
+
+# Define variable to load the dataframe
+dataframe = openpyxl.load_workbook(input_file_name)
+wb_output = openpyxl.Workbook()
+ws = wb_output.active
+
+def error(message):
+    print("Error:", message)
+    exit(1)
+
+
+def read_header(row):
+    i = 0
+    header = {}
+    for v in row:
+        v = str(v.value).lower()
+        header[v] = i
+        i += 1
+    return header
+
+ws.cell(row=1, column=1, value='assessable')
+ws.cell(row=1, column=2, value='depth')
+ws.cell(row=1, column=3, value='ref_id')
+ws.cell(row=1, column=4, value='name')
+ws.cell(row=1, column=5, value='description')
+line = 2
+for tab in dataframe:
+    print("parsing tab", tab.title)
+    title = tab.title
+    print("...processing content")
+    for row in tab:
+        if any([r.value for r in row]):
+            (v1, v2, v3, v4) = (r.value for r in row[0:4])
+            if v1:
+                if ':' in v1:
+                    print(v1)
+                    q = re.match("(\w+) \((\w+)\): (.*)", v1)
+                    function_name = q.group(1)
+                    function_id = q.group(2)
+                    function_description = q.group(3)
+                    ws.cell(row=line, column=2, value=1)
+                    ws.cell(row=line, column=3, value=function_id)
+                    ws.cell(row=line, column=4, value=function_name)
+                    ws.cell(row=line, column=5, value=function_description)
+                    line += 1
+            elif v2:
+                    q = re.match("([\w\s,]+) \((\w+.\w+)\): (.*)", v2)
+                    category_name = q.group(1)
+                    category_id = q.group(2)
+                    category_description = q.group(3)
+                    ws.cell(row=line, column=2, value=2)
+                    ws.cell(row=line, column=3, value=category_id)
+                    ws.cell(row=line, column=4, value=category_name)
+                    ws.cell(row=line, column=5, value=category_description)
+                    line += 1
+            elif v3:
+                    q = re.match("(\w+.\w+-\d+): (.*)", v3)
+                    subcategory_id = q.group(1)
+                    subcategory_description = q.group(2)
+                    ws.cell(row=line, column=1, value='x')
+                    ws.cell(row=line, column=2, value=3)
+                    ws.cell(row=line, column=3, value=subcategory_id)
+                    ws.cell(row=line, column=5, value=subcategory_description)
+                    line += 1
+                    ws.cell(row=line, column=2, value=4)
+                    ws.cell(row=line, column=4, value='Examples')
+                    ws.cell(row=line, column=5, value=v4)
+                    line += 1
+
+
+
+wb_output.save('nist_csf-2.0-en.xlsx')
diff --git a/tools/nist_csf-2.0-en.xlsx b/tools/nist_csf-2.0-en.xlsx
new file mode 100644
index 000000000..850428a2e
Binary files /dev/null and b/tools/nist_csf-2.0-en.xlsx differ
diff --git a/tools/nist_csf-2.0-en.yaml b/tools/nist_csf-2.0-en.yaml
new file mode 100644
index 000000000..6452a17c4
--- /dev/null
+++ b/tools/nist_csf-2.0-en.yaml
@@ -0,0 +1,2779 @@
+urn: urn:intuitem:risk:library:nist-csf-2.0
+locale: en
+ref_id: NIST-CSF-2.0
+name: NIST CSF version 2.0
+description: National Institute of Standards and Technology - Cybersecurity Framework
+copyright: With the exception of material marked as copyrighted, information presented
+  on NIST sites are considered public information and may be distributed or copied.
+version: 1
+provider: NIST
+packager: intuitem
+objects:
+  framework:
+    urn: urn:intuitem:risk:framework:nist-csf-2.0
+    ref_id: NIST-CSF-2.0
+    name: NIST CSF v2.0
+    description: NIST Cybersecurity Framework
+    requirement_nodes:
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      assessable: false
+      depth: 1
+      ref_id: GV
+      name: GOVERN
+      description: The organization's cybersecurity risk management strategy, expectations,
+        and policy are established, communicated, and monitored
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.OC
+      name: Organizational Context
+      description: The circumstances - mission, stakeholder expectations, dependencies,
+        and legal, regulatory, and contractual requirements - surrounding the organization's
+        cybersecurity risk management decisions are understood
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-01
+      description: The organizational mission is understood and informs cybersecurity
+        risk management
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Share the organization''s mission (e.g., through vision and mission statements,
+        marketing, and service strategies) to provide a basis for identifying risks
+        that may impede that mission'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-02
+      description: Internal and external stakeholders are understood, and their needs
+        and expectations regarding cybersecurity risk management are understood and
+        considered
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Identify relevant internal stakeholders and their cybersecurity-related
+        expectations (e.g., performance and risk expectations of officers, directors,
+        and advisors; cultural expectations of employees)
+
+        Ex2: Identify relevant external stakeholders and their cybersecurity-related
+        expectations (e.g., privacy expectations of customers, business expectations
+        of partnerships, compliance expectations of regulators, ethics expectations
+        of society)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-03
+      description: Legal, regulatory, and contractual requirements regarding cybersecurity
+        - including privacy and civil liberties obligations - are understood and managed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Determine a process to track and manage legal and regulatory requirements
+        regarding protection of individuals'' information (e.g., Health Insurance
+        Portability and Accountability Act, California Consumer Privacy Act, General
+        Data Protection Regulation)
+
+        Ex2: Determine a process to track and manage contractual requirements for
+        cybersecurity management of supplier, customer, and partner information
+
+        Ex3: Align the organization''s cybersecurity strategy with legal, regulatory,
+        and contractual requirements'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-04
+      description: Critical objectives, capabilities, and services that stakeholders
+        depend on or expect from the organization are understood and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Establish criteria for determining the criticality of capabilities and
+        services as viewed by internal and external stakeholders
+
+        Ex2: Determine (e.g., from a business impact analysis) assets and business
+        operations that are vital to achieving mission objectives and the potential
+        impact of a loss (or partial loss) of such operations
+
+        Ex3: Establish and communicate resilience objectives (e.g., recovery time
+        objectives) for delivering critical capabilities and services in various operating
+        states (e.g., under attack, during recovery, normal operation)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc
+      ref_id: GV.OC-05
+      description: Outcomes, capabilities, and services that the organization depends
+        on are understood and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05
+      name: Examples
+      description: 'Ex1: Create an inventory of the organization''s dependencies on
+        external resources (e.g., facilities, cloud-based hosting providers) and their
+        relationships to organizational assets and business functions
+
+        Ex2: Identify and document external dependencies that are potential points
+        of failure for the organization''s critical capabilities and services, and
+        share that information with appropriate personnel
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.RM
+      name: Risk Management Strategy
+      description: The organization's priorities, constraints, risk tolerance and
+        appetite statements, and assumptions are established, communicated, and used
+        to support operational risk decisions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-01
+      description: Risk management objectives are established and agreed to by organizational
+        stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Update near-term and long-term cybersecurity risk management objectives
+        as part of annual strategic planning and when major changes occur
+
+        Ex2: Establish measurable objectives for cybersecurity risk management (e.g.,
+        manage the quality of user training, ensure adequate risk protection for industrial
+        control systems)
+
+        Ex3: Senior leaders agree about cybersecurity objectives and use them for
+        measuring and managing risk and performance'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-02
+      description: Risk appetite and risk tolerance statements are established, communicated,
+        and maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Determine and communicate risk appetite statements that convey expectations
+        about the appropriate level of risk for the organization
+
+        Ex2: Translate risk appetite statements into specific, measurable, and broadly
+        understandable risk tolerance statements
+
+        Ex3: Refine organizational objectives and risk appetite periodically based
+        on known risk exposure and residual risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-03
+      description: Cybersecurity risk management activities and outcomes are included
+        in enterprise risk management processes
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks
+        (e.g., compliance, financial, operational, regulatory, reputational, safety)
+
+        Ex2: Include cybersecurity risk managers in enterprise risk management planning
+
+        Ex3: Establish criteria for escalating cybersecurity risks within enterprise
+        risk management'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-04
+      description: Strategic direction that describes appropriate risk response options
+        is established and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various
+        classifications of data
+
+        Ex2: Determine whether to purchase cybersecurity insurance
+
+        Ex3: Document conditions under which shared responsibility models are acceptable
+        (e.g., outsourcing certain cybersecurity functions, having a third party perform
+        financial transactions on behalf of the organization, using public cloud-based
+        services)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-05
+      description: Lines of communication across the organization are established
+        for cybersecurity risks, including risks from suppliers and other third parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Determine how to update senior executives, directors, and management
+        on the organization''s cybersecurity posture at agreed-upon intervals
+
+        Ex2: Identify how all departments across the organization - such as management,
+        operations, internal auditors, legal, acquisition, physical security, and
+        HR - will communicate with each other about cybersecurity risks'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-06
+      description: A standardized method for calculating, documenting, categorizing,
+        and prioritizing cybersecurity risks is established and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Establish criteria for using a quantitative approach to cybersecurity
+        risk analysis, and specify probability and exposure formulas
+
+        Ex2: Create and use templates (e.g., a risk register) to document cybersecurity
+        risk information (e.g., risk description, exposure, treatment, and ownership)
+
+        Ex3: Establish criteria for risk prioritization at the appropriate levels
+        within the enterprise
+
+        Ex4: Use a consistent list of risk categories to support integrating, aggregating,
+        and comparing cybersecurity risks'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm
+      ref_id: GV.RM-07
+      description: Strategic opportunities (i.e., positive risks) are characterized
+        and are included in organizational cybersecurity risk discussions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Define and communicate guidance and methods for identifying opportunities
+        and including them in risk discussions (e.g., strengths, weaknesses, opportunities,
+        and threats [SWOT] analysis)
+
+        Ex2: Identify stretch goals and document them
+
+        Ex3: Calculate, document, and prioritize positive risks alongside negative
+        risks'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.RR
+      name: Roles, Responsibilities, and Authorities
+      description: Cybersecurity roles, responsibilities, and authorities to foster
+        accountability, performance assessment, and continuous improvement are established
+        and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-01
+      description: Organizational leadership is responsible and accountable for cybersecurity
+        risk and fosters a culture that is risk-aware, ethical, and continually improving
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in
+        developing, implementing, and assessing the organization''s cybersecurity
+        strategy
+
+        Ex2: Share leaders'' expectations regarding a secure and ethical culture,
+        especially when current events present the opportunity to highlight positive
+        or negative examples of cybersecurity risk management
+
+        Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk
+        strategy and review and update it at least annually and after major events
+
+        Ex4: Conduct reviews to ensure adequate authority and coordination among those
+        responsible for managing cybersecurity risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-02
+      description: Roles, responsibilities, and authorities related to cybersecurity
+        risk management are established, communicated, understood, and enforced
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Document risk management roles and responsibilities in policy
+
+        Ex2: Document who is responsible and accountable for cybersecurity risk management
+        activities and how those teams and individuals are to be consulted and informed
+
+        Ex3: Include cybersecurity responsibilities and performance requirements in
+        personnel descriptions
+
+        Ex4: Document performance goals for personnel with cybersecurity risk management
+        responsibilities, and periodically measure performance to identify areas for
+        improvement
+
+        Ex5: Clearly articulate cybersecurity responsibilities within operations,
+        risk functions, and internal audit functions'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-03
+      description: Adequate resources are allocated commensurate with the cybersecurity
+        risk strategy, roles, responsibilities, and policies
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Conduct periodic management reviews to ensure that those given cybersecurity
+        risk management responsibilities have the necessary authority
+
+        Ex2: Identify resource allocation and investment in line with risk tolerance
+        and response
+
+        Ex3: Provide adequate and sufficient people, process, and technical resources
+        to support the cybersecurity strategy'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr
+      ref_id: GV.RR-04
+      description: Cybersecurity is included in human resources practices
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Integrate cybersecurity risk management considerations into human resources
+        processes (e.g., personnel screening, onboarding, change notification, offboarding)
+
+        Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training,
+        and retention decisions
+
+        Ex3: Conduct background checks prior to onboarding new personnel for sensitive
+        roles, and periodically repeat background checks for personnel with such roles
+
+        Ex4: Define and enforce obligations for personnel to be aware of, adhere to,
+        and uphold security policies as they relate to their roles'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.PO
+      name: Policy
+      description: Organizational cybersecurity policy is established, communicated,
+        and enforced
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po
+      ref_id: GV.PO-01
+      description: Policy for managing cybersecurity risks is established based on
+        organizational context, cybersecurity strategy, and priorities and is communicated
+        and enforced
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Create, disseminate, and maintain an understandable, usable risk management
+        policy with statements of management intent, expectations, and direction
+
+        Ex2: Periodically review policy and supporting processes and procedures to
+        ensure that they align with risk management strategy objectives and priorities,
+        as well as the high-level direction of the cybersecurity policy
+
+        Ex3: Require approval from senior management on policy
+
+        Ex4: Communicate cybersecurity risk management policy and supporting processes
+        and procedures across the organization
+
+        Ex5: Require personnel to acknowledge receipt of policy when first hired,
+        annually, and whenever policy is updated'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po
+      ref_id: GV.PO-02
+      description: Policy for managing cybersecurity risks is reviewed, updated, communicated,
+        and enforced to reflect changes in requirements, threats, technology, and
+        organizational mission
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Update policy based on periodic reviews of cybersecurity risk management
+        results to ensure that policy and supporting processes and procedures adequately
+        maintain risk at an acceptable level
+
+        Ex2: Provide a timeline for reviewing changes to the organization''s risk
+        environment (e.g., changes in risk or in the organization''s mission objectives),
+        and communicate recommended policy updates
+
+        Ex3: Update policy to reflect changes in legal and regulatory requirements
+
+        Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial
+        intelligence) and changes to the business (e.g., acquisition of a new business,
+        new contract requirements)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.OV
+      name: Oversight
+      description: Results of organization-wide cybersecurity risk management activities
+        and performance are used to inform, improve, and adjust the risk management
+        strategy
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      ref_id: GV.OV-01
+      description: Cybersecurity risk management strategy outcomes are reviewed to
+        inform and adjust strategy and direction
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Measure how well the risk management strategy and risk results have helped
+        leaders make decisions and achieve organizational objectives
+
+        Ex2: Examine whether cybersecurity risk strategies that impede operations
+        or innovation should be adjusted'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      ref_id: GV.OV-02
+      description: The cybersecurity risk management strategy is reviewed and adjusted
+        to ensure coverage of organizational requirements and risks
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review audit findings to confirm whether the existing cybersecurity strategy
+        has ensured compliance with internal and external requirements
+
+        Ex2: Review the performance oversight of those in cybersecurity-related roles
+        to determine whether policy changes are necessary
+
+        Ex3: Review strategy in light of cybersecurity incidents'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov
+      ref_id: GV.OV-03
+      description: Organizational cybersecurity risk management performance is evaluated
+        and reviewed for adjustments needed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review key performance indicators (KPIs) to ensure that organization-wide
+        policies and procedures achieve objectives
+
+        Ex2: Review key risk indicators (KRIs) to identify risks the organization
+        faces, including likelihood and potential impact
+
+        Ex3: Collect and communicate metrics on cybersecurity risk management with
+        senior leadership'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
+      ref_id: GV.SC
+      name: Cybersecurity Supply Chain Risk Management
+      description: Cyber supply chain risk management processes are identified, established,
+        managed, monitored, and improved by organizational stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-01
+      description: A cybersecurity supply chain risk management program, strategy,
+        objectives, policies, and processes are established and agreed to by organizational
+        stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01
+      name: Examples
+      description: 'Ex1: Establish a strategy that expresses the objectives of the
+        cybersecurity supply chain risk management program
+
+        Ex2: Develop the cybersecurity supply chain risk management program, including
+        a plan (with milestones), policies, and procedures that guide implementation
+        and improvement of the program, and share the policies and procedures with
+        the organizational stakeholders
+
+        Ex3: Develop and implement program processes based on the strategy, objectives,
+        policies, and procedures that are agreed upon and performed by the organizational
+        stakeholders
+
+        Ex4: Establish a cross-organizational mechanism that ensures alignment between
+        functions that contribute to cybersecurity supply chain risk management, such
+        as cybersecurity, IT, operations, legal, human resources, and engineering
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-02
+      description: Cybersecurity roles and responsibilities for suppliers, customers,
+        and partners are established, communicated, and coordinated internally and
+        externally
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02
+      name: Examples
+      description: 'Ex1: Identify one or more specific roles or positions that will
+        be responsible and accountable for planning, resourcing, and executing cybersecurity
+        supply chain risk management activities
+
+        Ex2: Document cybersecurity supply chain risk management roles and responsibilities
+        in policy
+
+        Ex3: Create responsibility matrixes to document who will be responsible and
+        accountable for cybersecurity supply chain risk management activities and
+        how those teams and individuals will be consulted and informed
+
+        Ex4: Include cybersecurity supply chain risk management responsibilities and
+        performance requirements in personnel descriptions to ensure clarity and improve
+        accountability
+
+        Ex5: Document performance goals for personnel with cybersecurity risk management-specific
+        responsibilities, and periodically measure them to demonstrate and improve
+        performance
+
+        Ex6: Develop roles and responsibilities for suppliers, customers, and business
+        partners to address shared responsibilities for applicable cybersecurity risks,
+        and integrate them into organizational policies and applicable third-party
+        agreements
+
+        Ex7: Internally communicate cybersecurity supply chain risk management roles
+        and responsibilities for third parties
+
+        Ex8: Establish rules and protocols for information sharing and reporting processes
+        between the organization and its suppliers
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-03
+      description: Cybersecurity supply chain risk management is integrated into cybersecurity
+        and enterprise risk management, risk assessment, and improvement processes
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03
+      name: Examples
+      description: 'Ex1: Identify areas of alignment and overlap with cybersecurity
+        and enterprise risk management
+
+        Ex2: Establish integrated control sets for cybersecurity risk management and
+        cybersecurity supply chain risk management
+
+        Ex3: Integrate cybersecurity supply chain risk management into improvement
+        processes
+
+        Ex4: Escalate material cybersecurity risks in supply chains to senior management,
+        and address them at the enterprise risk management level
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-04
+      description: Suppliers are known and prioritized by criticality
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04
+      name: Examples
+      description: 'Ex1: Develop criteria for supplier criticality based on, for example,
+        the sensitivity of data processed or possessed by suppliers, the degree of
+        access to the organization''s systems, and the importance of the products
+        or services to the organization''s mission
+
+        Ex2: Keep a record of all suppliers, and prioritize suppliers based on the
+        criticality criteria
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-05
+      description: Requirements to address cybersecurity risks in supply chains are
+        established, prioritized, and integrated into contracts and other types of
+        agreements with suppliers and other relevant third parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05
+      name: Examples
+      description: 'Ex1: Establish security requirements for suppliers, products,
+        and services commensurate with their criticality level and potential impact
+        if compromised
+
+        Ex2: Include all cybersecurity and supply chain requirements that third parties
+        must follow and how compliance with the requirements may be verified in default
+        contractual language
+
+        Ex3: Define the rules and protocols for information sharing between the organization
+        and its suppliers and sub-tier suppliers in agreements
+
+        Ex4: Manage risk by including security requirements in agreements based on
+        their criticality and potential impact if compromised
+
+        Ex5: Define security requirements in service-level agreements (SLAs) for monitoring
+        suppliers for acceptable security performance throughout the supplier relationship
+        lifecycle
+
+        Ex6: Contractually require suppliers to disclose cybersecurity features, functions,
+        and vulnerabilities of their products and services for the life of the product
+        or the term of service
+
+        Ex7: Contractually require suppliers to provide and maintain a current component
+        inventory (e.g., software or hardware bill of materials) for critical products
+
+        Ex8: Contractually require suppliers to vet their employees and guard against
+        insider threats
+
+        Ex9: Contractually require suppliers to provide evidence of performing acceptable
+        security practices through, for example, self-attestation, conformance to
+        known standards, certifications, or inspections
+
+        Ex10: Specify in contracts and other agreements the rights and responsibilities
+        of the organization, its suppliers, and their supply chains, with respect
+        to potential cybersecurity risks
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-06
+      description: Planning and due diligence are performed to reduce risks before
+        entering into formal supplier or other third-party relationships
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06
+      name: Examples
+      description: 'Ex1: Perform thorough due diligence on prospective suppliers that
+        is consistent with procurement planning and commensurate with the level of
+        risk, criticality, and complexity of each supplier relationship
+
+        Ex2: Assess the suitability of the technology and cybersecurity capabilities
+        and the risk management practices of prospective suppliers
+
+        Ex3: Conduct supplier risk assessments against business and applicable cybersecurity
+        requirements
+
+        Ex4: Assess the authenticity, integrity, and security of critical products
+        prior to acquisition and use
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-07
+      description: The risks posed by a supplier, their products and services, and
+        other third parties are understood, recorded, prioritized, assessed, responded
+        to, and monitored over the course of the relationship
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07
+      name: Examples
+      description: 'Ex1: Adjust assessment formats and frequencies based on the third
+        party''s reputation and the criticality of the products or services they provide
+
+        Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity
+        requirements, such as self-attestations, warranties, certifications, and other
+        artifacts
+
+        Ex3: Monitor critical suppliers to ensure that they are fulfilling their security
+        obligations throughout the supplier relationship lifecycle using a variety
+        of methods and techniques, such as inspections, audits, tests, or other forms
+        of evaluation
+
+        Ex4: Monitor critical suppliers, services, and products for changes to their
+        risk profiles, and reevaluate supplier criticality and risk impact accordingly
+
+        Ex5: Plan for unexpected supplier and supply chain-related interruptions to
+        ensure business continuity
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-08
+      description: Relevant suppliers and other third parties are included in incident
+        planning, response, and recovery activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08
+      name: Examples
+      description: 'Ex1: Define and use rules and protocols for reporting incident
+        response and recovery activities and the status between the organization and
+        its suppliers
+
+        Ex2: Identify and document the roles and responsibilities of the organization
+        and its suppliers for incident response
+
+        Ex3: Include critical suppliers in incident response exercises and simulations
+
+        Ex4: Define and coordinate crisis communication methods and protocols between
+        the organization and its critical suppliers
+
+        Ex5: Conduct collaborative lessons learned sessions with critical suppliers
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-09
+      description: Supply chain security practices are integrated into cybersecurity
+        and enterprise risk management programs, and their performance is monitored
+        throughout the technology product and service life cycle
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09
+      name: Examples
+      description: 'Ex1: Policies and procedures require provenance records for all
+        acquired technology products and services
+
+        Ex2: Periodically provide risk reporting to leaders about how acquired components
+        are proven to be untampered and authentic
+
+        Ex3: Communicate regularly among cybersecurity risk managers and operations
+        personnel about the need to acquire software patches, updates, and upgrades
+        only from authenticated and trustworthy software providers
+
+        Ex4: Review policies to ensure that they require approved supplier personnel
+        to perform maintenance on supplier products
+
+        Ex5: Policies and procedure require checking upgrades to critical hardware
+        for unauthorized changes
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc
+      ref_id: GV.SC-10
+      description: Cybersecurity supply chain risk management plans include provisions
+        for activities that occur after the conclusion of a partnership or service
+        agreement
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10
+      name: Examples
+      description: 'Ex1: Establish processes for terminating critical relationships
+        under both normal and adverse circumstances
+
+        Ex2: Define and implement plans for component end-of-life maintenance support
+        and obsolescence
+
+        Ex3: Verify that supplier access to organization resources is deactivated
+        promptly when it is no longer needed
+
+        Ex4: Verify that assets containing the organization''s data are returned or
+        properly disposed of in a timely, controlled, and safe manner
+
+        Ex5: Develop and execute a plan for terminating or transitioning supplier
+        relationships that takes supply chain security risk and resiliency into account
+
+        Ex6: Mitigate risks to data and systems created by supplier termination
+
+        Ex7: Manage data leakage risks associated with supplier termination
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      assessable: false
+      depth: 1
+      ref_id: ID
+      name: IDENTIFY
+      description: The organization's current cybersecurity risks are understood
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      ref_id: ID.AM
+      name: Asset Management
+      description: Assets (e.g., data, hardware, software, systems, facilities, services,
+        people) that enable the organization to achieve business purposes are identified
+        and managed consistent with their relative importance to organizational objectives
+        and the organization's risk strategy
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-01
+      description: Inventories of hardware managed by the organization are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT,
+        and mobile devices
+
+        Ex2: Constantly monitor networks to detect new hardware and automatically
+        update inventories'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-02
+      description: Inventories of software, services, and systems managed by the organization
+        are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Maintain inventories for all types of software and services, including
+        commercial-off-the-shelf, open-source, custom applications, API services,
+        and cloud-based applications and services
+
+        Ex2: Constantly monitor all platforms, including containers and virtual machines,
+        for software and service inventory changes
+
+        Ex3: Maintain an inventory of the organization''s systems'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-03
+      description: Representations of the organization's authorized network communication
+        and internal and external network data flows are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Maintain baselines of communication and data flows within the organization''s
+        wired and wireless networks
+
+        Ex2: Maintain baselines of communication and data flows between the organization
+        and third parties
+
+        Ex3: Maintain baselines of communication and data flows for the organization''s
+        infrastructure-as-a-service (IaaS) usage
+
+        Ex4: Maintain documentation of expected network ports, protocols, and services
+        that are typically used among authorized systems'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-04
+      description: Inventories of services provided by suppliers are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04
+      name: Examples
+      description: 'Ex1: Inventory all external services used by the organization,
+        including third-party infrastructure-as-a-service (IaaS), platform-as-a-service
+        (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally
+        hosted application services
+
+        Ex2: Update the inventory when a new external service is going to be utilized
+        to ensure adequate cybersecurity risk management monitoring of the organization''s
+        use of that service
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-05
+      description: Assets are prioritized based on classification, criticality, resources,
+        and impact on the mission
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Define criteria for prioritizing each class of assets
+
+        Ex2: Apply the prioritization criteria to assets
+
+        Ex3: Track the asset priorities and update them periodically or when significant
+        changes to the organization occur'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-07
+      description: Inventories of data and corresponding metadata for designated data
+        types are maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Maintain a list of the designated data types of interest (e.g., personally
+        identifiable information, protected health information, financial account
+        numbers, organization intellectual property, operational technology data)
+
+        Ex2: Continuously discover and analyze ad hoc data to identify new instances
+        of designated data types
+
+        Ex3: Assign data classifications to designated data types through tags or
+        labels
+
+        Ex4: Track the provenance, data owner, and geolocation of each instance of
+        designated data types'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am
+      ref_id: ID.AM-08
+      description: Systems, hardware, software, services, and data are managed throughout
+        their life cycles
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Integrate cybersecurity considerations throughout the life cycles of
+        systems, hardware, software, and services
+
+        Ex2: Integrate cybersecurity considerations into product life cycles
+
+        Ex3: Identify unofficial uses of technology to meet mission objectives (i.e.,
+        shadow IT)
+
+        Ex4: Periodically identify redundant systems, hardware, software, and services
+        that unnecessarily increase the organization''s attack surface
+
+        Ex5: Properly configure and secure systems, hardware, software, and services
+        prior to their deployment in production
+
+        Ex6: Update inventories when systems, hardware, software, and services are
+        moved or transferred within the organization
+
+        Ex7: Securely destroy stored data based on the organization''s data retention
+        policy using the prescribed destruction method, and keep and manage a record
+        of the destructions
+
+        Ex8: Securely sanitize data storage when hardware is being retired, decommissioned,
+        reassigned, or sent for repairs or replacement
+
+        Ex9: Offer methods for destroying paper, storage media, and other physical
+        forms of data storage'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      ref_id: ID.RA
+      name: Risk Assessment
+      description: The cybersecurity risk to the organization, assets, and individuals
+        is understood by the organization
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-01
+      description: Vulnerabilities in assets are identified, validated, and recorded
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use vulnerability management technologies to identify unpatched and misconfigured
+        software
+
+        Ex2: Assess network and system architectures for design and implementation
+        weaknesses that affect cybersecurity
+
+        Ex3: Review, analyze, or test organization-developed software to identify
+        design, coding, and default configuration vulnerabilities
+
+        Ex4: Assess facilities that house critical computing assets for physical vulnerabilities
+        and resilience issues
+
+        Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities
+        in products and services
+
+        Ex6: Review processes and procedures for weaknesses that could be exploited
+        to affect cybersecurity'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-02
+      description: Cyber threat intelligence is received from information sharing
+        forums and sources
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Configure cybersecurity tools and technologies with detection or response
+        capabilities to securely ingest cyber threat intelligence feeds
+
+        Ex2: Receive and review advisories from reputable third parties on current
+        threat actors and their tactics, techniques, and procedures (TTPs)
+
+        Ex3: Monitor sources of cyber threat intelligence for information on the types
+        of vulnerabilities that emerging technologies may have'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-03
+      description: Internal and external threats to the organization are identified
+        and recorded
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Use cyber threat intelligence to maintain awareness of the types of threat
+        actors likely to target the organization and the TTPs they are likely to use
+
+        Ex2: Perform threat hunting to look for signs of threat actors within the
+        environment
+
+        Ex3: Implement processes for identifying internal threat actors'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-04
+      description: Potential impacts and likelihoods of threats exploiting vulnerabilities
+        are identified and recorded
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Business leaders and cybersecurity risk management practitioners work
+        together to estimate the likelihood and impact of risk scenarios and record
+        them in risk registers
+
+        Ex2: Enumerate the potential business impacts of unauthorized access to the
+        organization''s communications, systems, and data processed in or by those
+        systems
+
+        Ex3: Account for the potential impacts of cascading failures for systems of
+        systems'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-05
+      description: Threats, vulnerabilities, likelihoods, and impacts are used to
+        understand inherent risk and inform risk response prioritization
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Develop threat models to better understand risks to the data and identify
+        appropriate risk responses
+
+        Ex2: Prioritize cybersecurity resource allocations and investments based on
+        estimated likelihoods and impacts'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-06
+      description: Risk responses are chosen, prioritized, planned, tracked, and communicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Apply the vulnerability management plan''s criteria for deciding whether
+        to accept, transfer, mitigate, or avoid risk
+
+        Ex2: Apply the vulnerability management plan''s criteria for selecting compensating
+        controls to mitigate risk
+
+        Ex3: Track the progress of risk response implementation (e.g., plan of action
+        and milestones [POA&M], risk register, risk detail report)
+
+        Ex4: Use risk assessment findings to inform risk response decisions and actions
+
+        Ex5: Communicate planned risk responses to affected stakeholders in priority
+        order'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-07
+      description: Changes and exceptions are managed, assessed for risk impact, recorded,
+        and tracked
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07
+      name: Examples
+      description: 'Ex1: Implement and follow procedures for the formal documentation,
+        review, testing, and approval of proposed changes and requested exceptions
+
+        Ex2: Document the possible risks of making or not making each proposed change,
+        and provide guidance on rolling back changes
+
+        Ex3: Document the risks related to each requested exception and the plan for
+        responding to those risks
+
+        Ex4: Periodically review risks that were accepted based upon planned future
+        actions or milestones'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-08
+      description: Processes for receiving, analyzing, and responding to vulnerability
+        disclosures are established
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Conduct vulnerability information sharing between the organization and
+        its suppliers following the rules and protocols defined in contracts
+
+        Ex2: Assign responsibilities and verify the execution of procedures for processing,
+        analyzing the impact of, and responding to cybersecurity threat, vulnerability,
+        or incident disclosures by suppliers, customers, partners, and government
+        cybersecurity organizations'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-09
+      description: The authenticity and integrity of hardware and software are assessed
+        prior to acquisition and use
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09
+      name: Examples
+      description: 'Ex1: Assess the authenticity and cybersecurity of critical technology
+        products and services prior to acquisition and use
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra
+      ref_id: ID.RA-10
+      description: Critical suppliers are assessed prior to acquisition
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10
+      name: Examples
+      description: 'Ex1: Conduct supplier risk assessments against business and applicable
+        cybersecurity requirements, including the supply chain'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id
+      ref_id: ID.IM
+      name: Improvement
+      description: Improvements to organizational cybersecurity risk management processes,
+        procedures and activities are identified across all CSF Functions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-01
+      description: Improvements are identified from evaluations
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Perform self-assessments of critical services that take current threats
+        and TTPs into consideration
+
+        Ex2: Invest in third-party assessments or independent audits of the effectiveness
+        of the organization''s cybersecurity program to identify areas that need improvement
+
+        Ex3: Constantly evaluate compliance with selected cybersecurity requirements
+        through automated means'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-02
+      description: Improvements are identified from security tests and exercises,
+        including those done in coordination with suppliers and relevant third parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Identify improvements for future incident response activities based on
+        findings from incident response assessments (e.g., tabletop exercises and
+        simulations, tests, internal reviews, independent audits)
+
+        Ex2: Identify improvements for future business continuity, disaster recovery,
+        and incident response activities based on exercises performed in coordination
+        with critical service providers and product suppliers
+
+        Ex3: Involve internal stakeholders (e.g., senior executives, legal department,
+        HR) in security tests and exercises as appropriate
+
+        Ex4: Perform penetration testing to identify opportunities to improve the
+        security posture of selected high-risk systems as approved by leadership
+
+        Ex5: Exercise contingency plans for responding to and recovering from the
+        discovery that products or services did not originate with the contracted
+        supplier or partner or were altered before receipt
+
+        Ex6: Collect and analyze performance metrics using security tools and services
+        to inform improvements to the cybersecurity program'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-03
+      description: Improvements are identified from execution of operational processes,
+        procedures, and activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Conduct collaborative lessons learned sessions with suppliers
+
+        Ex2: Annually review cybersecurity policies, processes, and procedures to
+        take lessons learned into account
+
+        Ex3: Use metrics to assess operational cybersecurity performance over time'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im
+      ref_id: ID.IM-04
+      description: Incident response plans and other cybersecurity plans that affect
+        operations are established, communicated, maintained, and improved
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Establish contingency plans (e.g., incident response, business continuity,
+        disaster recovery) for responding to and recovering from adverse events that
+        can interfere with operations, expose confidential information, or otherwise
+        endanger the organization''s mission and viability
+
+        Ex2: Include contact and communication information, processes for handling
+        common scenarios, and criteria for prioritization, escalation, and elevation
+        in all contingency plans
+
+        Ex3: Create a vulnerability management plan to identify and assess all types
+        of vulnerabilities and to prioritize, test, and implement risk responses
+
+        Ex4: Communicate cybersecurity plans (including updates) to those responsible
+        for carrying them out and to affected parties
+
+        Ex5: Review and update all cybersecurity plans annually or when a need for
+        significant improvements is identified'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      assessable: false
+      depth: 1
+      ref_id: PR
+      name: PROTECT
+      description: Safeguards to manage the organization's cybersecurity risks are
+        used
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.AA
+      name: Identity Management, Authentication, and Access Control
+      description: Access to physical and logical assets is limited to authorized
+        users, services, and hardware and  managed commensurate with the assessed
+        risk of unauthorized access
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-01
+      description: Identities and credentials for authorized users, services, and
+        hardware are managed by the organization
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Initiate requests for new access or additional access for employees,
+        contractors, and others, and track, review, and fulfill the requests, with
+        permission from system or data owners when needed
+
+        Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens,
+        cryptographic keys (i.e., key management), and other credentials
+
+        Ex3: Select a unique identifier for each device from immutable hardware characteristics
+        or an identifier securely provisioned to the device
+
+        Ex4: Physically label authorized hardware with an identifier for inventory
+        and servicing purposes'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-02
+      description: Identities are proofed and bound to credentials based on the context
+        of interactions
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Verify a person''s claimed identity at enrollment time using government-issued
+        identity credentials (e.g., passport, visa, driver''s license)
+
+        Ex2: Issue a different credential for each person (i.e., no credential sharing)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-03
+      description: Users, services, and hardware are authenticated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Require multifactor authentication
+
+        Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar
+        authenticators
+
+        Ex3: Periodically reauthenticate users, services, and hardware based on risk
+        (e.g., in zero trust architectures)
+
+        Ex4: Ensure that authorized personnel can access accounts essential for protecting
+        safety under emergency conditions'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-04
+      description: Identity assertions are protected, conveyed, and verified
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Protect identity assertions that are used to convey authentication and
+        user information through single sign-on systems
+
+        Ex2: Protect identity assertions that are used to convey authentication and
+        user information between federated systems
+
+        Ex3: Implement standards-based approaches for identity assertions in all contexts,
+        and follow all guidance for the generation (e.g., data models, metadata),
+        protection (e.g., digital signing, encryption), and verification (e.g., signature
+        validation) of identity assertions'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-05
+      description: Access permissions, entitlements, and authorizations are defined
+        in a policy, managed, enforced, and reviewed, and incorporate the principles
+        of least privilege and separation of duties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review logical and physical access privileges periodically and whenever
+        someone changes roles or leaves the organization, and promptly rescind privileges
+        that are no longer needed
+
+        Ex2: Take attributes of the requester and the requested resource into account
+        for authorization decisions (e.g., geolocation, day/time, requester endpoint''s
+        cyber health)
+
+        Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust
+        architecture)
+
+        Ex4: Periodically review the privileges associated with critical business
+        functions to confirm proper separation of duties'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa
+      ref_id: PR.AA-06
+      description: Physical access to assets is managed, monitored, and enforced commensurate
+        with risk
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Use security guards, security cameras, locked entrances, alarm systems,
+        and other physical controls to monitor facilities and restrict access
+
+        Ex2: Employ additional physical security controls for areas that contain high-risk
+        assets
+
+        Ex3: Escort guests, vendors, and other third parties within areas that contain
+        business-critical assets'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.AT
+      name: Awareness and Training
+      description: The organization's personnel are provided with cybersecurity awareness
+        and training so that they can perform their cybersecurity-related tasks
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at
+      ref_id: PR.AT-01
+      description: Personnel are provided with awareness and training so that they
+        possess the knowledge and skills to perform general tasks with cybersecurity
+        risks in mind
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Provide basic cybersecurity awareness and training to employees, contractors,
+        partners, suppliers, and all other users of the organization''s non-public
+        resources
+
+        Ex2: Train personnel to recognize social engineering attempts and other common
+        attacks, report attacks and suspicious activity, comply with acceptable use
+        policies, and perform basic cyber hygiene tasks (e.g., patching software,
+        choosing passwords, protecting credentials)
+
+        Ex3: Explain the consequences of cybersecurity policy violations, both to
+        individual users and the organization as a whole
+
+        Ex4: Periodically assess or test users on their understanding of basic cybersecurity
+        practices
+
+        Ex5: Require annual refreshers to reinforce existing practices and introduce
+        new practices'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at
+      ref_id: PR.AT-02
+      description: Individuals in specialized roles are provided with awareness and
+        training so that they possess the knowledge and skills to perform relevant
+        tasks with cybersecurity risks in mind
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Identify the specialized roles within the organization that require additional
+        cybersecurity training, such as physical and cybersecurity personnel, finance
+        personnel, senior leadership, and anyone with access to business-critical
+        data
+
+        Ex2: Provide role-based cybersecurity awareness and training to all those
+        in specialized roles, including contractors, partners, suppliers, and other
+        third parties
+
+        Ex3: Periodically assess or test users on their understanding of cybersecurity
+        practices for their specialized roles
+
+        Ex4: Require annual refreshers to reinforce existing practices and introduce
+        new practices'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.DS
+      name: Data Security
+      description: Data are managed consistent with the organization's risk strategy
+        to protect the confidentiality, integrity, and availability of information
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-01
+      description: The confidentiality, integrity, and availability of data-at-rest
+        are protected
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use encryption, digital signatures, and cryptographic hashes to protect
+        the confidentiality and integrity of stored data in files, databases, virtual
+        machine disk images, container images, and other resources
+
+        Ex2: Use full disk encryption to protect data stored on user endpoints
+
+        Ex3: Confirm the integrity of software by validating signatures
+
+        Ex4: Restrict the use of removable media to prevent data exfiltration
+
+        Ex5: Physically secure removable media containing unencrypted sensitive information,
+        such as within locked offices or file cabinets'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-02
+      description: The confidentiality, integrity, and availability of data-in-transit
+        are protected
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use encryption, digital signatures, and cryptographic hashes to protect
+        the confidentiality and integrity of network communications
+
+        Ex2: Automatically encrypt or block outbound emails and other communications
+        that contain sensitive data, depending on the data classification
+
+        Ex3: Block access to personal email, file sharing, file storage services,
+        and other personal communications applications and services from organizational
+        systems and networks
+
+        Ex4: Prevent reuse of sensitive data from production environments (e.g., customer
+        records) in development, testing, and other non-production environments'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-10
+      description: The confidentiality, integrity, and availability of data-in-use
+        are protected
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Remove data that must remain confidential (e.g., from processors and
+        memory) as soon as it is no longer needed
+
+        Ex2: Protect data in use from access by other users and processes of the same
+        platform'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds
+      ref_id: PR.DS-11
+      description: Backups of data are created, protected, maintained, and tested
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Continuously back up critical data in near-real-time, and back up other
+        data frequently at agreed-upon schedules
+
+        Ex2: Test backups and restores for all types of data sources at least annually
+
+        Ex3: Securely store some backups offline and offsite so that an incident or
+        disaster will not damage them
+
+        Ex4: Enforce geographic separation and geolocation restrictions for data backup
+        storage'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.PS
+      name: Platform Security
+      description: The hardware, software (e.g., firmware, operating systems, applications),
+        and services of physical and virtual platforms are managed consistent with
+        the organization's risk strategy to protect their confidentiality, integrity,
+        and availability
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-01
+      description: Configuration management practices are established and applied
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Establish, test, deploy, and maintain hardened baselines that enforce
+        the organization''s cybersecurity policies and provide only essential capabilities
+        (i.e., principle of least functionality)
+
+        Ex2: Review all default configuration settings that may potentially impact
+        cybersecurity when installing or upgrading software
+
+        Ex3: Monitor implemented software for deviations from approved baselines'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-02
+      description: Software is maintained, replaced, and removed commensurate with
+        risk
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Perform routine and emergency patching within the timeframes specified
+        in the vulnerability management plan
+
+        Ex2: Update container images, and deploy new container instances to replace
+        rather than update existing instances
+
+        Ex3: Replace end-of-life software and service versions with supported, maintained
+        versions
+
+        Ex4: Uninstall and remove unauthorized software and services that pose undue
+        risks
+
+        Ex5: Uninstall and remove any unnecessary software components (e.g., operating
+        system utilities) that attackers might misuse
+
+        Ex6: Define and implement plans for software and service end-of-life maintenance
+        support and obsolescence'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-03
+      description: Hardware is maintained, replaced, and removed commensurate with
+        risk
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Replace hardware when it lacks needed security capabilities or when it
+        cannot support software with needed security capabilities
+
+        Ex2: Define and implement plans for hardware end-of-life maintenance support
+        and obsolescence
+
+        Ex3: Perform hardware disposal in a secure, responsible, and auditable manner'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-04
+      description: Log records are generated and made available for continuous monitoring
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Configure all operating systems, applications, and services (including
+        cloud-based services) to generate log records
+
+        Ex2: Configure log generators to securely share their logs with the organization''s
+        logging infrastructure systems and services
+
+        Ex3: Configure log generators to record the data needed by zero-trust architectures'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-05
+      description: Installation and execution of unauthorized software are prevented
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: When risk warrants it, restrict software execution to permitted products
+        only or deny the execution of prohibited and unauthorized software
+
+        Ex2: Verify the source of new software and the software''s integrity before
+        installing it
+
+        Ex3: Configure platforms to use only approved DNS services that block access
+        to known malicious domains
+
+        Ex4: Configure platforms to allow the installation of organization-approved
+        software only'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps
+      ref_id: PR.PS-06
+      description: Secure software development practices are integrated, and their
+        performance is monitored throughout the software development life cycle
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Protect all components of organization-developed software from tampering
+        and unauthorized access
+
+        Ex2: Secure all software produced by the organization, with minimal vulnerabilities
+        in their releases
+
+        Ex3: Maintain the software used in production environments, and securely dispose
+        of software once it is no longer needed'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr
+      ref_id: PR.IR
+      name: Technology Infrastructure Resilience
+      description: Security architectures are managed with the organization's risk
+        strategy to protect asset confidentiality, integrity, and availability, and
+        organizational resilience
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-01
+      description: Networks and environments are protected from unauthorized logical
+        access and usage
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Logically segment organization networks and cloud-based platforms according
+        to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests),
+        and permit required communications only between segments
+
+        Ex2: Logically segment organization networks from external networks, and permit
+        only necessary communications to enter the organization''s networks from the
+        external networks
+
+        Ex3: Implement zero trust architectures to restrict network access to each
+        resource to the minimum necessary
+
+        Ex4: Check the cyber health of endpoints before allowing them to access and
+        use production resources'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-02
+      description: The organization's technology assets are protected from environmental
+        threats
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Protect organizational equipment from known environmental threats, such
+        as flooding, fire, wind, and excessive heat and humidity
+
+        Ex2: Include protection from environmental threats and provisions for adequate
+        operating infrastructure in requirements for service providers that operate
+        systems on the organization''s behalf'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-03
+      description: Mechanisms are implemented to achieve resilience requirements in
+        normal and adverse situations
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Avoid single points of failure in systems and infrastructure
+
+        Ex2: Use load balancing to increase capacity and improve reliability
+
+        Ex3: Use high-availability components like redundant storage and power supplies
+        to improve system reliability'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir
+      ref_id: PR.IR-04
+      description: Adequate resource capacity to ensure availability is maintained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04
+      name: Examples
+      description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth,
+        and other resources
+
+        Ex2: Forecast future needs, and scale resources accordingly'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de
+      assessable: false
+      depth: 1
+      ref_id: DE
+      name: DETECT
+      description: Possible cybersecurity attacks and compromises are found and analyzed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de
+      ref_id: DE.CM
+      name: Continuous Monitoring
+      description: Assets are monitored to find anomalies, indicators of compromise,
+        and other potentially adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-01
+      description: Networks and network services are monitored to find potentially
+        adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01
+      name: Examples
+      description: 'Ex1: Monitor DNS, BGP, and other network services for adverse
+        events
+
+        Ex2: Monitor wired and wireless networks for connections from unauthorized
+        endpoints
+
+        Ex3: Monitor facilities for unauthorized or rogue wireless networks
+
+        Ex4: Compare actual network flows against baselines to detect deviations
+
+        Ex5: Monitor network communications to identify changes in security postures
+        for zero trust purposes
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-02
+      description: The physical environment is monitored to find potentially adverse
+        events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02
+      name: Examples
+      description: 'Ex1: Monitor logs from physical access control systems (e.g.,
+        badge readers) to find unusual access patterns (e.g., deviations from the
+        norm) and failed access attempts
+
+        Ex2: Review and monitor physical access records (e.g., from visitor registration,
+        sign-in sheets)
+
+        Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms)
+        for signs of tampering
+
+        Ex4: Monitor the physical environment using alarm systems, cameras, and security
+        guards
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-03
+      description: Personnel activity and technology usage are monitored to find potentially
+        adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03
+      name: Examples
+      description: 'Ex1: Use behavior analytics software to detect anomalous user
+        activity to mitigate insider threats
+
+        Ex2: Monitor logs from logical access control systems to find unusual access
+        patterns and failed access attempts
+
+        Ex3: Continuously monitor deception technology, including user accounts, for
+        any usage
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-06
+      description: External service provider activities and services are monitored
+        to find potentially adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06
+      name: Examples
+      description: 'Ex1: Monitor remote and onsite administration and maintenance
+        activities that external providers perform on organizational systems
+
+        Ex2: Monitor activity from cloud-based services, internet service providers,
+        and other service providers for deviations from expected behavior
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm
+      ref_id: DE.CM-09
+      description: Computing hardware and software, runtime environments, and their
+        data are monitored to find potentially adverse events
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09
+      name: Examples
+      description: 'Ex1: Monitor email, web, file sharing, collaboration services,
+        and other common attack vectors to detect malware, phishing, data leaks and
+        exfiltration, and other adverse events
+
+        Ex2: Monitor authentication attempts to identify attacks against credentials
+        and unauthorized credential reuse
+
+        Ex3: Monitor software configurations for deviations from security baselines
+
+        Ex4: Monitor hardware and software for signs of tampering
+
+        Ex5: Use technologies with a presence on endpoints to detect cyber health
+        issues (e.g., missing patches, malware infections, unauthorized software),
+        and redirect the endpoints to a remediation environment before access is authorized
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de
+      ref_id: DE.AE
+      name: Adverse Event Analysis
+      description: Anomalies, indicators of compromise, and other potentially adverse
+        events are analyzed to characterize the events and detect cybersecurity incidents
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-02
+      description: Potentially adverse events are analyzed to better understand associated
+        activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02
+      name: Examples
+      description: 'Ex1: Use security information and event management (SIEM) or other
+        tools to continuously monitor log events for known malicious and suspicious
+        activity
+
+        Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to
+        improve detection accuracy and characterize threat actors, their methods,
+        and indicators of compromise
+
+        Ex3: Regularly conduct manual reviews of log events for technologies that
+        cannot be sufficiently monitored through automation
+
+        Ex4: Use log analysis tools to generate reports on their findings
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-03
+      description: Information is correlated from multiple sources
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03
+      name: Examples
+      description: 'Ex1: Constantly transfer log data generated by other sources to
+        a relatively small number of log servers
+
+        Ex2: Use event correlation technology (e.g., SIEM) to collect information
+        captured by multiple sources
+
+        Ex3: Utilize cyber threat intelligence to help correlate events among log
+        sources
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-04
+      description: The estimated impact and scope of adverse events are understood
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04
+      name: Examples
+      description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and
+        review and refine the estimates
+
+        Ex2: A person creates their own estimates of impact and scope
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-06
+      description: Information on adverse events is provided to authorized staff and
+        tools
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06
+      name: Examples
+      description: 'Ex1: Use cybersecurity software to generate alerts and provide
+        them to the security operations center (SOC), incident responders, and incident
+        response tools
+
+        Ex2: Incident responders and other authorized personnel can access log analysis
+        findings at all times
+
+        Ex3: Automatically create and assign tickets in the organization''s ticketing
+        system when certain types of alerts occur
+
+        Ex4: Manually create and assign tickets in the organization''s ticketing system
+        when technical staff discover indicators of compromise
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-07
+      description: Cyber threat intelligence and other contextual information are
+        integrated into the analysis
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07
+      name: Examples
+      description: 'Ex1: Securely provide cyber threat intelligence feeds to detection
+        technologies, processes, and personnel
+
+        Ex2: Securely provide information from asset inventories to detection technologies,
+        processes, and personnel
+
+        Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s
+        technologies from suppliers, vendors, and third-party security advisories
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae
+      ref_id: DE.AE-08
+      description: Incidents are declared when adverse events meet the defined incident
+        criteria
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08
+      name: Examples
+      description: 'Ex1: Apply incident criteria to known and assumed characteristics
+        of activity in order to determine whether an incident should be declared
+
+        Ex2: Take known false positives into account when applying incident criteria
+
+        1st: 1st Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      assessable: false
+      depth: 1
+      ref_id: RS
+      name: RESPOND
+      description: Actions regarding a detected cybersecurity incident are taken
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.MA
+      name: Incident Management
+      description: Responses to detected cybersecurity incidents are managed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-01
+      description: The incident response plan is executed in coordination with relevant
+        third parties once an incident is declared
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01
+      name: Examples
+      description: 'Ex1: Detection technologies automatically report confirmed incidents
+
+        Ex2: Request incident response assistance from the organization''s incident
+        response outsourcer
+
+        Ex3: Designate an incident lead for each incident
+
+        Ex4: Initiate execution of additional cybersecurity plans as needed to support
+        incident response (for example, business continuity and disaster recovery)
+
+        3rd: 3rd Party Risk'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-02
+      description: Incident reports are triaged and validated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related
+        and necessitate incident response activities
+
+        Ex2: Apply criteria to estimate the severity of an incident'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-03
+      description: Incidents are categorized and prioritized
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Further review and categorize incidents based on the type of incident
+        (e.g., data breach, ransomware, DDoS, account compromise)
+
+        Ex2: Prioritize incidents based on their scope, likely impact, and time-critical
+        nature
+
+        Ex3: Select incident response strategies for active incidents by balancing
+        the need to quickly recover from an incident with the need to observe the
+        attacker or conduct a more thorough investigation'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-04
+      description: Incidents are escalated or elevated as needed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Track and validate the status of all ongoing incidents
+
+        Ex2: Coordinate incident escalation or elevation with designated internal
+        and external stakeholders'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma
+      ref_id: RS.MA-05
+      description: The criteria for initiating incident recovery are applied
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Apply incident recovery criteria to known and assumed characteristics
+        of the incident to determine whether incident recovery processes should be
+        initiated
+
+        Ex2: Take the possible operational disruption of incident recovery activities
+        into account'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.AN
+      name: Incident Analysis
+      description: Investigations are conducted to ensure effective response and support
+        forensics and recovery activities
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-03
+      description: Analysis is performed to establish what has taken place during
+        an incident and the root cause of the incident
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Determine the sequence of events that occurred during the incident and
+        which assets and resources were involved in each event
+
+        Ex2: Attempt to determine what vulnerabilities, threats, and threat actors
+        were directly or indirectly involved in the incident
+
+        Ex3: Analyze the incident to find the underlying, systemic root causes
+
+        Ex4: Check any cyber deception technology for additional information on attacker
+        behavior'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-06
+      description: Actions performed during an investigation are recorded, and the
+        records' integrity and provenance are preserved
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Require each incident responder and others (e.g., system administrators,
+        cybersecurity engineers) who perform incident response tasks to record their
+        actions and make the record immutable
+
+        Ex2: Require the incident lead to document the incident in detail and be responsible
+        for preserving the integrity of the documentation and the sources of all information
+        being reported'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-07
+      description: Incident data and metadata are collected, and their integrity and
+        provenance are preserved
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident
+        data and metadata (e.g., data source, date/time of collection) based on evidence
+        preservation and chain-of-custody procedures'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an
+      ref_id: RS.AN-08
+      description: An incident's magnitude is estimated and validated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Review other potential targets of the incident to search for indicators
+        of compromise and evidence of persistence
+
+        Ex2: Automatically run tools on targets to look for indicators of compromise
+        and evidence of persistence'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.CO
+      name: Incident Response Reporting and Communication
+      description: Response activities are coordinated with internal and external
+        stakeholders as required by laws, regulations, or policies
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co
+      ref_id: RS.CO-02
+      description: Internal and external stakeholders are notified of incidents
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Follow the organization''s breach notification procedures after discovering
+        a data breach incident, including notifying affected customers
+
+        Ex2: Notify business partners and customers of incidents in accordance with
+        contractual requirements
+
+        Ex3: Notify law enforcement agencies and regulatory bodies of incidents based
+        on criteria in the incident response plan and management approval'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co
+      ref_id: RS.CO-03
+      description: Information is shared with designated internal and external stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Securely share information consistent with response plans and information
+        sharing agreements
+
+        Ex2: Voluntarily share information about an attacker''s observed TTPs, with
+        all sensitive data removed, with an Information Sharing and Analysis Center
+        (ISAC)
+
+        Ex3: Notify HR when malicious insider activity occurs
+
+        Ex4: Regularly update senior leadership on the status of major incidents
+
+        Ex5: Follow the rules and protocols defined in contracts for incident information
+        sharing between the organization and its suppliers
+
+        Ex6: Coordinate crisis communication methods between the organization and
+        its critical suppliers'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs
+      ref_id: RS.MI
+      name: Incident Mitigation
+      description: Activities are performed to prevent expansion of an event and mitigate
+        its effects
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi
+      ref_id: RS.MI-01
+      description: Incidents are contained
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity
+        features of other technologies (e.g., operating systems, network infrastructure
+        devices) automatically perform containment actions
+
+        Ex2: Allow incident responders to manually select and perform containment
+        actions
+
+        Ex3: Allow a third party (e.g., internet service provider, managed security
+        service provider) to perform containment actions on behalf of the organization
+
+        Ex4: Automatically transfer compromised endpoints to a remediation virtual
+        local area network (VLAN)'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi
+      ref_id: RS.MI-02
+      description: Incidents are eradicated
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Cybersecurity technologies and cybersecurity features of other technologies
+        (e.g., operating systems, network infrastructure devices) automatically perform
+        eradication actions
+
+        Ex2: Allow incident responders to manually select and perform eradication
+        actions
+
+        Ex3: Allow a third party (e.g., managed security service provider) to perform
+        eradication actions on behalf of the organization'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc
+      assessable: false
+      depth: 1
+      ref_id: RC
+      name: RECOVER
+      description: Assets and operations affected by a cybersecurity incident are
+        restored
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc
+      ref_id: RC.RP
+      name: Incident Recovery Plan Execution
+      description: Restoration activities are performed to ensure operational availability
+        of systems and services affected by cybersecurity incidents
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-01
+      description: The recovery portion of the incident response plan is executed
+        once initiated from the incident response process
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Begin recovery procedures during or after incident response processes
+
+        Ex2: Make all individuals with recovery responsibilities aware of the plans
+        for recovery and the authorizations required to implement each aspect of the
+        plans'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-02
+      description: Recovery actions are selected, scoped, prioritized, and performed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Select recovery actions based on the criteria defined in the incident
+        response plan and available resources
+
+        Ex2: Change planned recovery actions based on a reassessment of organizational
+        needs and resources'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-03
+      description: The integrity of backups and other restoration assets is verified
+        before using them for restoration
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Check restoration assets for indicators of compromise, file corruption,
+        and other integrity issues before use'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-04
+      description: Critical mission functions and cybersecurity risk management are
+        considered to establish post-incident operational norms
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Use business impact and system categorization records (including service
+        delivery objectives) to validate that essential services are restored in the
+        appropriate order
+
+        Ex2: Work with system owners to confirm the successful restoration of systems
+        and the return to normal operations
+
+        Ex3: Monitor the performance of restored systems to verify the adequacy of
+        the restoration'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-05
+      description: The integrity of restored assets is verified, systems and services
+        are restored, and normal operating status is confirmed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Check restored assets for indicators of compromise and remediation of
+        root causes of the incident before production use
+
+        Ex2: Verify the correctness and adequacy of the restoration actions taken
+        before putting a restored system online'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp
+      ref_id: RC.RP-06
+      description: The end of incident recovery is declared based on criteria, and
+        incident-related documentation is completed
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Prepare an after-action report that documents the incident itself, the
+        response and recovery actions taken, and lessons learned
+
+        Ex2: Declare the end of incident recovery once the criteria are met'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc
+      ref_id: RC.CO
+      name: Incident Recovery Communication
+      description: Restoration activities are coordinated with internal and external
+        parties
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co
+      ref_id: RC.CO-03
+      description: Recovery activities and progress in restoring operational capabilities
+        are communicated to designated internal and external stakeholders
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        3rd: 3rd Party Risk
+
+        Ex1: Securely share recovery information, including restoration progress,
+        consistent with response plans and information sharing agreements
+
+        Ex2: Regularly update senior leadership on recovery status and restoration
+        progress for major incidents
+
+        Ex3: Follow the rules and protocols defined in contracts for incident information
+        sharing between the organization and its suppliers
+
+        Ex4: Coordinate crisis communication between the organization and its critical
+        suppliers'
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co
+      ref_id: RC.CO-04
+      description: Public updates on incident recovery are shared using approved methods
+        and messaging
+    - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241
+      assessable: false
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04
+      name: Examples
+      description: '1st: 1st Party Risk
+
+        Ex1: Follow the organization''s breach notification procedures for recovering
+        from a data breach incident
+
+        Ex2: Explain the steps being taken to recover from the incident and to prevent
+        a recurrence'