CMMC Practice RM.3.146
Develop and implement risk mitigation plans.
Bold Coast Security Guidance
For Level 3 compliance, a practice, policy, and plans must be in place and consistently applied. If mitigation is the chosen disposition, a plan must be created to include assigned personnel, timelines for milestones (if applicable) and completion, and any purchases or implementations that may be part of the remediation effort.
CERT RMM V1.2
When the consequences of risk exceed the organization’ risk thresholds and are determined to be unacceptable, the organization must act to address risk to the extent possible.
Addressing risk requires the development of response strategies that may include a wide range of activities . In some cases, risk response will require adjustments to current strategies for protecting and sustaining assets and services. In other cases, the organization will find itself designing and implementing new controls and service continuity plans. In addition, because not all risk can be mitigated, the organization must be able to address residual risk—the risk that remains and is accepted by the organization after response plans are implemented. This risk must be analyzed and determined to be acceptable before the risk response plan is in place.