ID.RA-06:
Risk responses are chosen, prioritized, planned, tracked, and communicated
Implementation Examples
Ex1:
Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk
Ex2:
Apply the vulnerability management plan's criteria for selecting compensating controls to mitigate risk
Ex3:
Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report)
Ex4:
Use risk assessment findings to inform risk response decisions and actions
Ex5:
Communicate planned risk responses to affected stakeholders in priority order