NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-28 — Risk Framing

Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; Constraints affecting risk assessments, risk responses, and risk monitoring; Priorities and trade-offs considered by the organization for managing risk; and Organizational risk tolerance; Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.

Practitioner Notes

Risk framing sets the context for how your organization thinks about and evaluates risk. It defines your risk assumptions, constraints, tolerance levels, and priorities before you start assessing individual risks.

Example 1: Develop a risk framing document that defines your organization's risk appetite in plain terms: 'We will not accept any risk that could result in loss of CUI,' or 'We will accept low-impact operational risks if mitigation costs exceed the potential loss by 5x.' Get leadership sign-off.

Example 2: Use the NIST RMF 'Prepare' step to create your risk framing. Document your threat assumptions (what adversaries are likely to target you), your vulnerability assumptions (where you know you are weak), and your impact definitions (what constitutes low, moderate, or high impact to your business).