CMMC RM.3.146 - Implement Risk Mitigation Plans

CMMC RM.3.146 - Implement Risk Mitigation Plans

Requirement text: RM.3.146: Develop and implement risk mitigation plans.

DISCUSSION FROM SOURCE: CERT RMM V1.2
When the consequences of risk exceed the organization’s risk thresholds and are determined
to be unacceptable, the organization must act to address risk to the extent possible.
Addressing risk requires the development of response strategies that may include a wide
range of activities. In some cases, risk response will require adjustments to current
strategies for protecting and sustaining assets and services. In other cases, the organization
will find itself designing and implementing new controls and service continuity plans. In
addition, because not all risk can be mitigated, the organization must be able to address
residual risk—the risk that remains and is accepted by the organization after response plans
are implemented. This risk must be analyzed and determined to be acceptable before the
risk response plan is in place.

CMMC CLARIFICATION
For each identified risk, develop and implement a risk mitigation plan. Mitigation plans
should define a risk disposition for each identified risk. Possible risk dispositions include:
avoid, accept, monitor, defer, transfer, and mitigate. Mitigation plans define how to address
or limit the identified risk. Risk mitigation plans may include:
      • how the vulnerability or threat will be reduced;
      • the actions that will limit risk exposure;
      • controls to be implemented;
      • staff responsible for the mitigation plan;
      • the resources required for the plan;
      • the implementation specifics (e.g., when, where, how); and
      • how the plan implementation will be measured or tracked.

Example
Having completed the risk assessment for your IT organization the CIO was presented with
the risks to IT assets. As a result of the assessment report the CIO has asked you to develop
plans to address specific risks (based on impact and likelihood). You setup a meeting with
the lead for IT projects to discuss the assessment. During the meeting you are briefed on
current IT activities in the organization. Using the assessment information and IT activities
you develop an integrated list of IT activities and risk mitigations. The list defines a
combined priority within the IT organization, proposed actions to reduce risk, who is
responsible for completing the action, and the completion date.

References 
• NIST CSF v1.1 ID.RA-6, ID.RM-1
• CERT RMM v1.2 RISK:SG5.SP1
• NIST SP 800-53 Rev 4 PM-9

    • Related Articles

    • Risk Assessment: SP 800-171 Security Family 3.11

      Companies are dependent upon information technology and associated systems. While the increasing number of information technology products used in various companies and industries can be beneficial, in some instances they may also introduce serious ...

    • CMMC RM.4.148 - Manage Supply Chain Risk

      Requirement text: RM.4.148: Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B The growing dependence on products, systems, and services from ...

    • CMMC CA.2.159 - Implement Plans of Action to Address Vulnerabilities

      Requirement text: CA.2.159: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 The plan of action is a key ...

    • CMMC RM.2.143 - Remediate Vulnerabilities identified in Risk Assessments

      Requirement text: RM.2.143: Remediate vulnerabilities in accordance with risk assessments. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated ...

    • CMMC RM.3.144 - Perform Risk Assessments Periodically

      Requirement text: RM.3.144: Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. DISCUSSION FROM SOURCE: NIST CSF V1.1 The organization ...