PM-28: Risk Framing

Control Family:

Program Management

CSF v1.1 References:


  • Low


  • Moderate


  • High


  • Privacy
    • PM-28
Info icon.

Control is new to this version of the control set.

Control Statement

  1. Identify and document:
    1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
    2. Constraints affecting risk assessments, risk responses, and risk monitoring;
    3. Priorities and trade-offs considered by the organization for managing risk; and
    4. Organizational risk tolerance;
  2. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and
  3. Review and update risk framing considerations [Assignment: organization-defined frequency].

Supplemental Guidance

Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.