RM.3.146 Develop and implement risk mitigation plans.

CMMC Practice RM.3.146: Develop and implement risk mitigation plans.

Links to Publicly Available Resources


For each identified risk, develop and implement a risk mitigation plan. Mitigation plans should define a risk disposition for each identified risk. Possible risk dispositions include: avoid, accept, monitor, defer, transfer, and mitigate. Mitigation plans define how to address or limit the identified risk. Risk mitigation plans may include:

  • how the vulnerability or threat will be reduced;
  • the actions that will limit risk exposure;
  • controls to be implemented;
  • staff responsible for the mitigation plan;
  • the resources required for the plan;
  • the implementation specifics (e.g., when, where, how); and
  • how the plan implementation will be measured or tracked.