NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-9 — Risk Management Strategy
Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and Privacy risk to individuals resulting from the authorized processing of personally identifiable information; Implement the risk management strategy consistently across the organization; and Review and update the risk management strategy {{ insert: param, pm-09_odp }} or as required, to address organizational changes.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Supplemental Guidance
An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in [PM-30](#pm-30) can also provide useful inputs to the organization-wide risk management strategy.
Practitioner Notes
Your risk management strategy defines how your organization identifies, assesses, and responds to risk at the enterprise level. This is the high-level framework that drives all your individual risk decisions.
Example 1: Write a one-page risk management strategy memo that defines your risk tolerance (e.g., 'We accept low risks, mitigate moderate risks, and avoid or transfer high risks'), the risk assessment methodology you will use (NIST RMF, FAIR), and how often you will reassess risks (annually and after major changes).
Example 2: Create a risk register in Excel or a GRC tool that categorizes each risk by likelihood and impact, assigns a risk owner, and tracks the chosen response (accept, mitigate, transfer, avoid). Review the register quarterly with leadership and update it whenever new threats emerge or your environment changes.