Link Search Menu Expand Document
NIST SP 800-37

RISK RESPONSE

TASK R-3

Identify and implement a preferred course of action in response to the risk determined.
Potential Inputs: Authorization package; risk determination; organization- and system-level risk assessment results.
Expected Outputs: Risk responses for determined risks.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy; System Owner or Common Control Provider; Information Owner or Steward; Systems Security Engineer; Privacy Engineer; System Security Officer; System Privacy Officer.
System Development Life Cycle Phase: New – Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: After risk is analyzed and determined, organizations can respond to risk in a variety of ways, including acceptance of risk and mitigation of risk. Existing risk assessment results and risk assessment techniques may be used to help determine the preferred course of action for the risk response.100 When the response to risk is mitigation, the planned mitigation actions are included in and tracked using the plan of action and milestones. Once mitigated, assessors reassess the controls. Control reassessments determine the extent to which remediated controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. The assessors update the assessment reports with the findings from the reassessment, but do not change the original assessment results. The security and privacy plans are updated based on the findings of the control assessments and any remediation actions taken. The updated plans reflect the state of the controls after the initial assessment and any modifications by the system owner or common control provider in addressing recommendations for corrective actions.

At the completion of the control reassessments, security and privacy plans contain an accurate description of implemented controls, including compensating controls. When the response to risk is acceptance, the deficiencies found during the assessment process remain documented in the security and privacy assessment reports and are monitored for changes to the risk factors.101 Because the authorizing official is the only person who can accept risk, the authorizing official is responsible for reviewing the assessment reports and plans of action and milestones and determining whether the identified risks need to be mitigated prior to authorization. Decisions on the most appropriate course of action for responding to risk may include some form of prioritization. Some risks may be of greater concern to organizations than other risks. In that case, more resources may need to be directed at addressing higher-priority risks versus lower-priority risks. Prioritizing risk response does not necessarily mean that the lower-priority risks are ignored. Rather, it could mean that fewer resources are directed at addressing the lower-priority risks, or that the lower-priority risks are addressed later. A key part of the risk-based decision process is the recognition that regardless of the risk response, there remains a degree of residual risk. Organizations determine acceptable degrees of residual risk based on organizational risk tolerance.

References: [SP 800-30]; [SP 800-39] (Organization, Mission/Business Process, and System Levels); [SP 800-160 v1] (Risk Management Process); [IR 8062]; [IR 8179]; [NIST CSF] (Core [Identify Function]).

100 [SP 800-39] provides additional information on risk response.

101 The four security risk factors are threat, vulnerability, likelihood, and impact. [SP 800-30] and [SP 800-39] provide information about security risk assessments and associated risk factors. [IR 8062] and Section 2.3 provide additional information on privacy risk factors and conducting privacy risk assessments.