ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated

Previous Version:

Description

[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk

Ex2: Apply the vulnerability management plan's criteria for selecting compensating controls to mitigate risk

Ex3: Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report)

Ex4: Use risk assessment findings to inform risk response decisions and actions

Ex5: Communicate planned risk responses to affected stakeholders in priority order