Task R-3 - Identify and Implement a Preferred Course of Action in Response to the

Risk Determined.

 Inputs & Outputs

 Roles & Responsibilities
 SDLC & CSF Lifecycle Alignment
 Risk Response
 Risk Mitigation
 Assessment Report Updates
 Updated Plans
 Accepting Risk
 Course of Action
 Prioritizing Risk
 Residual Risk
 References

-/ Potential Inputs

 Authorization Package
 Risk Determination
 Organization- and System-Level Risk Assessment Results

-/ Expected Outputs

 Risk Responses for Determined Risk

-/ Primary Responsibility:

 Authorizing Official
 Authorizing Official Designated Representative

-/ System Development Life Cycle Phase:

 New -
o Implement/Assessment
 Existing -
o Operations/Maintenance

CSF ALIGNMENT
ID.RA-6 - Risk Assessment: Risk responses are Identified and Prioritized.
Risk Response

 After Risk is Analyzed and Determined, organizations can respond to Risk in

a variety of ways - including Acceptance of Risk and Mitigation of Risk.
 Existing Risk Assessment Results and Risk Assessment Techniques may be
used to help determine the preferred Course of Action for the Risk
Response.
 When the response to Risk is Mitigation, the Planned Mitigation Actions are
included in and tracked using the Plan of Action & Milestones.
 Once mitigated, Assessors reassess the Controls.
 Control Reassessments determine the extent to which Remediated Controls
are implemented correctly, operating as intended and producing the desired
outcome with regards to meeting the Security and Privacy requirements for
the System and the Organization.
 The Assessors update the Assessment Reports with the findings from the
Reassessment but do not change the Original Assessment Results.
 The Security and Privacy Plans are updated based on the findings of the
Control Assessments and any Remediation Actions taken.
 The Updated Plans reflect the state of the Controls after the Initial
Assessment and any Modifications by the System Owner or Common
Control Provider in addressing recommendations for Corrective Actions.
 At the completion of the Control Reassessments, Security and Privacy Plans
contain an accurate description of Implemented Controls - including
Compensating Controls.
 When the response to the Risk is Acceptance, the Deficiencies found during
the Assessment Process remain documented in the Security and Privacy
Assessment Reports and are monitored for changes to Risk Factors.
 Because the Authorizing Official is the only person who can accept Risk, the
Authorizing Official is responsible for reviewing the Assessment Reports and
the Plans of Action & Milestones and determining whether the identified
Risks need to be mitigated prior to Authorization.
 Decisions on the most Appropriate Course of Action for responding to Risk
may include some form of Prioritization.
 Some Risks may be of greater concern to the Organization than other Risks.
In this case, more resources may need to be directed at addressing Higher-
Priority Risks versus Lower-Priority Risks.
 Prioritizing Risk response does not necessarily mean that the Lower-Priority
Risks are ignored. Rather, it could mean fewer resources are directed at
 addressing the Lower-Priority Risks or that the Lower-Priority Risks are
addressed later.
 A key part of the Risk based Decision Process is the recognition that
regardless of the Risk Response, there remains a degree of Residual Risk.
Organizations determine acceptable degrees of Residual Risk based on
Organizational Risk Tolerance.

References:

 NIST SP 800-30
 NIST SP 800-39 - Organization, Mission/Business Process and System Levels
 NIST SP 800-160 v1 - Risk Management Process
 IR 8062
 IR 8179
 NIST CSF