NIST 800-53 REV 5 • RISK ASSESSMENT
RA-7 — Risk Response
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
Supplemental Guidance
Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.
Practitioner Notes
Risk response is what you actually do about the risks you identify. For each risk, you must choose a response: accept it, mitigate it, transfer it (insurance), share it, or avoid it — and document the decision.
Example 1: For each risk in your risk register, document the chosen response and the rationale. 'We will mitigate the risk of unpatched servers by implementing automated patch management within 30 days. We will accept the residual risk of the 48-hour patching window because the cost of zero-downtime patching exceeds the risk exposure.'
Example 2: For risks you transfer, document the mechanism. 'We transfer the financial risk of a data breach through our cyber insurance policy (Policy #12345, $2M coverage). We transfer the operational risk of 24/7 monitoring to our MSSP under contract C-2024-001 with defined SLAs.' Track these transfer mechanisms in your risk register alongside the risks they address.