PM-09 Risk Management Strategy

Baselines

Guidance

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.

References 6

• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
• SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
• SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
• SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
• IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.

Related controls 37

• AC-01 Policy and Procedures L M H P
• AU-01 Policy and Procedures L M H P
• AT-01 Policy and Procedures L M H P
• CA-01 Policy and Procedures L M H P
• CA-02 Control Assessments L M H P
• CA-05 Plan of Action and Milestones L M H P
• CA-06 Authorization L M H P
• CA-07 Continuous Monitoring L M H P
• CM-01 Policy and Procedures L M H P
• CP-01 Policy and Procedures L M H P
• IA-01 Policy and Procedures L M H P
• IR-01 Policy and Procedures L M H P
• MA-01 Policy and Procedures L M H P
• MP-01 Policy and Procedures L M H P
• PE-01 Policy and Procedures L M H P
• PL-01 Policy and Procedures L M H P
• PL-02 System Security and Privacy Plans L M H P
• PM-02 Information Security Program Leadership Role L M H P
• PM-08 Critical Infrastructure Plan L M H P
• PM-18 Privacy Program Plan L M H P
• PM-28 Risk Framing L M H P
• PM-30 Supply Chain Risk Management Strategy L M H P
• PS-01 Policy and Procedures L M H P
• PT-01 Policy and Procedures L M H P
• PT-02 Authority to Process Personally Identifiable Information L M H P
• PT-03 Personally Identifiable Information Processing Purposes L M H P
• RA-01 Policy and Procedures L M H P
• RA-03 Risk Assessment L M H P
• RA-09 Criticality Analysis L M H P
• SA-01 Policy and Procedures L M H P
• SA-04 Acquisition Process L M H P
• SC-01 Policy and Procedures L M H P
• SC-38 Operations Security L M H P
• SI-01 Policy and Procedures L M H P
• SI-12 Information Management and Retention L M H P
• SR-01 Policy and Procedures L M H P
• SR-02 Supply Chain Risk Management Plan L M H P