Navigate

PM-9

PM-9: Risk Management Strategy

The organization:

a: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;

b: Implements the risk management strategy consistently across the organization; and

c: Reviews and updates the risk management strategy [organization-defined frequency] or as required, to address organizational changes.

Supplemental

An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (CNSSI 1253), Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
ID.GV-4, ID.RA-4, ID.RA-6, ID.RM-1, ID.RM-2, ID.RM-3, ID.SC-1, ID.SC-2, ID.SC-3

Related Controls

The controls below (if any) were marked by NIST as being related to PM-9.

Control	Description
RA-3	The organization: a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b: Documents risk assessment results in []; c: Reviews risk assessment results [organization-defined frequency]; d: Disseminates risk assessment results to [organization-defined personnel or roles]; and e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control

Description

RA-3

The organization:

a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

b: Documents risk assessment results in [];

c: Reviews risk assessment results [organization-defined frequency];

d: Disseminates risk assessment results to [organization-defined personnel or roles]; and

e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Enhancements

The controls below (if any) add on to the requirements of PM-9.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PM-9.

CCI	Definition
CCI-000227	Develop a comprehensive strategy to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.
CCI-000228	Implement the risk management strategy consistently across the organization.
CCI-002994	Review and update the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes.
CCI-002995	Defines the frequency with which to review and update the risk management strategy to address organizational changes.