Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies