Link Search Menu Expand Document
NIST SP 800-37

ONGOING RISK RESPONSE

TASK M-3

Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones.
Potential Inputs: Security and privacy assessment reports; organization- and system-level risk assessment results; security and privacy plans; plans of action and milestones.
Expected Outputs: Mitigation actions or risk acceptance decisions; updated security and privacy assessment reports.
Primary Responsibility: Authorizing Official; System Owner; Common Control Provider.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Official for Privacy; Authorizing Official Designated Representative; Information Owner or Steward; System Security Officer; System Privacy Officer; Systems Security Engineer; Privacy Engineer; Security Architect; Privacy Architect.
System Development Life Cycle Phase: New – Operations/Maintenance. Existing – Operations/Maintenance.
Discussion: Assessment information produced by an assessor during continuous monitoring is provided to the system owner and the common control provider in updated assessment reports or via reports from automated security/privacy management and reporting tools. The authorizing official determines the appropriate risk response to the assessment findings or approves responses proposed by the system owner and common control provider. The system owner and common control provider subsequently implement the appropriate risk response. When the risk response is acceptance, the findings remain documented in the security and privacy assessment reports and are monitored for changes to risk factors. When the risk response is mitigation, the planned mitigation actions are included in and tracked using the plans of action and milestones. If requested by the authorizing official, control assessors may provide recommendations for remediation actions. Recommendations for remediation actions may also be provided by an automated security/privacy management and reporting tool. An organizational assessment of risk (Task P-3) and system-level risk assessment results (Task P-14) guide and inform the decisions regarding ongoing risk response. Controls that are modified, enhanced, or added as part of ongoing risk response are reassessed by assessors to ensure that the new, modified, or enhanced controls have been implemented correctly, are operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements of the system.

References: [SP 800-30]; [SP 800-53]; [SP 800-53A]; [SP 800-137]; [SP 800-160 v1] (Risk Management Process); [IR 8011 v1]; [IR 8062]; [NIST CSF] (Core [Respond Function]).