NIST ID.AM-6: Establish Cybersecurity Roles and Responsibilities
Cybersecurity isn't just an IT problem—it requires clear accountability across your entire organization. NIST ID.AM-6 requires you to define and communicate cybersecurity roles and responsibilities for employees, contractors, suppliers, and partners. Without this foundation, security gaps emerge and incidents escalate.
What this means
This control mandates that your organization explicitly establish and document who is responsible for cybersecurity across all workforce members and external stakeholders. This includes defining roles for employees at every level, third-party vendors, suppliers, customers, and partners who interact with your systems or data. The goal is to eliminate confusion about who owns which security tasks, from incident response to policy enforcement to vulnerability management.
How to comply
- 1.Map all roles and job functions that interact with company systems, data, or networks—both internal and external
- 2.Define specific cybersecurity responsibilities for each role (e.g., developers, HR, finance, vendors)
- 3.Document role-based security expectations in job descriptions, contracts, and service level agreements
- 4.Establish clear escalation paths and incident response ownership
- 5.Communicate roles and responsibilities to all stakeholders in writing
- 6.Review and update role definitions annually or when organizational structure changes
- 7.Ensure third-party agreements explicitly include cybersecurity responsibilities
Evidence auditors look for
- Role-based security policy matrix showing responsibilities by job function
- Updated job descriptions that include cybersecurity duties and requirements
- Third-party vendor agreements with explicit security responsibility clauses
- Org chart or RACI matrix documenting security accountability by department
- Evidence of communication to employees about their cybersecurity roles
- Incident response plan identifying responsible parties by role
- Contractor onboarding documentation that covers security responsibilities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates role-responsibility mapping and tracks accountability across your entire organization, surfacing gaps in coverage and generating audit-ready evidence when responsibilities change.
See how GRCWatch handles this control automatically
Start free trial