Develop and implement risk mitigation plans.
For each identified risk, develop and implement a risk mitigation plan. Mitigation plans should define a risk disposition for each identified risk. Possible risk dispositions include: avoid, accept, monitor, defer, transfer, and mitigate. Mitigation plans define how to address or limit the identified risk. Risk mitigation plans may include: • * how the vulnerability or threat will be reduced * the actions that will limit risk exposure * controls to be implemented * staff responsible for the mitigation plan * the resources required for the plan * the implementation specifics (e.g., when, where, how) * how the plan implementation will be measured or tracked. Example Having completed the risk assessment for your IT organization the CIO was presented with the risks to IT assets. As a result of the assessment report the CIO has asked you to develop plans to address specific risks (based on impact and likelihood). You setup a meeting with the lead for IT projects to discuss the assessment. During the meeting you are briefed on current IT activities in the organization. Using the assessment information and IT activities you develop an integrated list of IT activities and risk mitigations. The list defines a combined priority within the IT organization, proposed actions to reduce risk, who is responsible for completing the action, and the completion date.
CERT RMM V1.2 When the consequences of risk exceed the organization’s risk thresholds and are determined to be unacceptable, the organization must act to address risk to the extent possible. Addressing risk requires the development of response strategies that may include a wide range of activities. In some cases, risk response will require adjustments to current strategies for protecting and sustaining assets and services. In other cases, the organization will find itself designing and implementing new controls and service continuity plans. In addition, because not all risk can be mitigated, the organization must be able to address residual risk—the risk that remains and is accepted by the organization after response plans are implemented. This risk must be analyzed and determined to be acceptable before the risk response plan is in place.
NIST SP 800-53 Rev 4 PM-9
NIST CSF v1.1 ID.RA-6, ID.RM-1
CERT RMM v1.2 RISK:SG5.SP1
RM.3.146.[a] the organization develops an approach for mitigating each identified risk; and
RM.3.146.[b] the organization implements risk mitigation plans for each identified risk.