CCI-004455

Identify and document constraints affecting risk assessments, risk response, and risk monitoring.

Implementation Guidance

Determine if: - constraints affecting risk assessments are identified and documented. - constraints affecting risk responses are identified and documented. - constraints affecting risk monitoring are identified and documented.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management strategy; documentation of risk framing activities; policies and procedures for risk framing activities; risk management strategy]. Interview: [SELECT FROM: Organizational personnel (including mission, business, and system owners or stewards; authorizing officials; senior agency information security officer; senior agency official for privacy; and senior accountable official for risk management)]. Test: [SELECT FROM: Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing; organizational processes for risk framing; mechanisms supporting the development, review, update, and approval of risk framing].

The controls below (if any) were marked by NIST as being related to CCI-004455.