CMMC Practice RM.3.146: Develop and implement risk mitigation plans.
For each identified risk, develop and implement a risk mitigation plan. Mitigation plans should define a risk disposition for each identified risk. Possible risk dispositions include: avoid, accept, monitor, defer, transfer, and mitigate. Mitigation plans define how to address or limit the identified risk. Risk mitigation plans may include:
- how the vulnerability or threat will be reduced;
- the actions that will limit risk exposure;
- controls to be implemented;
- staff responsible for the mitigation plan;
- the resources required for the plan;
- the implementation specifics (e.g., when, where, how); and
- how the plan implementation will be measured or tracked.