home || catalog: SP800-53rev3 / class: Management / family: (PM) Program Management ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM

PM-01
PM-02
PM-03
PM-04
PM-05
PM-06
PM-07
PM-08
PM-09 *
PM-10
PM-11

PS
RA
SA
SC
SI
MMMMM

  PM-09: Risk Management Strategy  

base control objective:
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and
b. Implements that strategy consistently across the organization.

supplemental objective information:
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: org     MOD: org     HIGH: org  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for PM-09:

None.

Document Date Status Title

Search SP800-53rev3 catalog: