Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: RM

Level Introduced: 3

Develop and implement risk mitigation plans.

CMMC Clarification:
For each identified risk, develop and implement a risk mitigation plan. Mitigation plans should define a risk disposition for each identified risk. Possible risk dispositions include: avoid, accept, monitor, defer, transfer, and mitigate. Mitigation plans define how to address or limit the identified risk. Risk mitigation plans may include:
• how the vulnerability or threat will be reduced;
• the actions that will limit risk exposure;
• controls to be implemented;
• staff responsible for the mitigation plan;
• the resources required for the plan;
• the implementation specifics (e.g., when, where, how); and
• how the plan implementation will be measured or tracked.

Having completed the risk assessment for your IT organization the CIO was presented with the risks to IT assets. As a result of the assessment report the CIO has asked you to develop plans to address specific risks (based on impact and likelihood). You setup a meeting with the lead for IT projects to discuss the assessment. During the meeting you are briefed on current IT activities in the organization. Using the assessment information and IT activities you develop an integrated list of IT activities and risk mitigations. The list defines a combined priority within the IT organization, proposed actions to reduce risk, who is responsible for completing the action, and the completion date.



The organization:
    a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
    b. Implements the risk management strategy consistently across the organization; and
    c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Supplemental Guidance:
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02