Back to Control Explorer



Control Acronym



Risk Management

CMMC Level


800-171 Control #


CMMC Description

Develop and implement risk mitigation plans.

CMMC Clarification

For each identified risk, develop and implement a risk mitigation plan. Mitigation plans should define a risk disposition for each identified risk. Possible risk dispositions include: avoid, accept, monitor, defer, transfer, and mitigate. Mitigation plans define how to address or limit the identified risk. Risk mitigation plans may include: • * how the vulnerability or threat will be reduced * the actions that will limit risk exposure * controls to be implemented * staff responsible for the mitigation plan * the resources required for the plan * the implementation specifics (e.g., when, where, how) * how the plan implementation will be measured or tracked. Example Having completed the risk assessment for your IT organization the CIO was presented with the risks to IT assets. As a result of the assessment report the CIO has asked you to develop plans to address specific risks (based on impact and likelihood). You setup a meeting with the lead for IT projects to discuss the assessment. During the meeting you are briefed on current IT activities in the organization. Using the assessment information and IT activities you develop an integrated list of IT activities and risk mitigations. The list defines a combined priority within the IT organization, proposed actions to reduce risk, who is responsible for completing the action, and the completion date.

800-171 Description

800-171 Discussion


Other Source Discussion

CERT RMM V1.2 When the consequences of risk exceed the organization’s risk thresholds and are determined to be unacceptable, the organization must act to address risk to the extent possible. Addressing risk requires the development of response strategies that may include a wide range of activities. In some cases, risk response will require adjustments to current strategies for protecting and sustaining assets and services. In other cases, the organization will find itself designing and implementing new controls and service continuity plans. In addition, because not all risk can be mitigated, the organization must be able to address residual risk—the risk that remains and is accepted by the organization after response plans are implemented. This risk must be analyzed and determined to be acceptable before the risk response plan is in place.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 PM-9

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 ID.RA-6, ID.RM-1

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

RM.3.146.[a] the organization develops an approach for mitigating each identified risk; and

Assessment Sub-Criteria 2

RM.3.146.[b] the organization implements risk mitigation plans for each identified risk.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15