1. Cornell Law School
Legal Information Institute (LII). "Due Care." The LII
a reputable academic source
defines due care as: "The degree of care that a reasonable person would exercise under the same or similar circumstances." This provides the foundational legal definition.
Source: https://www.law.cornell.edu/wex/duecare
2. NIST Special Publication 800-161 Revision 1
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This official publication distinguishes between the two key concepts.
Section 2.3.2
"Due Diligence and Due Care
" states: "Due care is the prudent and responsible execution of the duties and responsibilities associated with a given role or position." This directly supports the concept of ongoing
reasonable action.
3. (ISC)². Official (ISC)² Guide to the CISSP CBK. 6th Edition. CRC Press
2022. This is an official vendor document for a foundational cybersecurity certification whose concepts are shared with the CC.
Chapter 3
"Security Governance Principles
" defines due care as "the standard of care that a reasonable person is expected to exercise in all activities that could potentially harm others." It explicitly contrasts this with due diligence
which is defined as the "process of investigation."
