CMMC Domain RM Risk Management

Create practices to monitor, manage, and remediate risks to your systems and data.

RM.2.143
Remediate vulnerabilities in accordance with risk assessments.
RM.2.142
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
RM.2.141
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
RM.4.150
Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
RM.4.151
Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.
RM.5.155
Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
RM.4.148
Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
RM.3.144
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
RM.4.149
Catalog and periodically update threat profiles and adversary TTPs.
RM.3.147
Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
RM.3.146
Develop and implement risk mitigation plans.
RM.5.152
Utilize an exception process for non-whitelisted software that includes mitigation techniques.