NVD

NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

PM-9 RISK MANAGEMENT STRATEGY

Family:

Program Management

Class:

Priority:

null -

Baseline Allocation:

Low	Moderate	High

Control Description

The organization:

a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;

b. Implements the risk management strategy consistently across the organization; and

c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Supplemental Guidance

An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive.

Related to: RA-3

Control Enhancements

None.

References

NIST Special Publication 800-30	https://csrc.nist.gov/publications/search?keywords-lg=800-30
NIST Special Publication 800-39	https://csrc.nist.gov/publications/search?keywords-lg=800-39

800-53 (Rev. 4)

Security Controls: Low-Impact; Moderate-Impact; High-Impact
Other Links: Families; Search

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database