a.
Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b.
Implements the risk management strategy consistently across the organization; and
c.
Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.