The risk mitigation phase, which aligns with the "Risk Response" step in foundational risk management models, focuses on deciding how to address identified risks and putting that decision into action. This involves first agreeing on a suitable strategy (e.g., mitigate, transfer, accept, avoid) based on the risk assessment. Following this strategic decision, a detailed mitigation plan is documented and subsequently implemented. This plan outlines the specific controls, actions, responsibilities, and timelines required to reduce the risk to an acceptable level. In the context of the NIST RMF, these activities are captured within the Plan of Action and Milestones (POA&M).

B. Evaluate mitigation progress and plan next assessment.

This activity is part of the risk monitoring phase (e.g., NIST RMF Step 6: Monitor), which occurs after the mitigation plan has been implemented to ensure controls remain effective.

C. Identify threats, vulnerabilities, and controls that will be evaluated.

This is a core activity of the risk assessment phase (e.g., NIST RMF Step 2: Select and Step 4: Assess), which must be completed before mitigation planning can begin.

1. NIST Special Publication 800-39

Managing Information Security Risk: Organization

Mission

and Information System View.

Page 13

Section 2.3

"RISK RESPONSE": "Once risk is determined from the risk assessment

organizations develop and implement a course of action to respond to that risk... The purpose of the risk response step is to identify

evaluate

and implement the appropriate course(s) of action." This supports selecting a strategy (A) and implementing a plan (D).

Page 13

Section 2.3

"RISK MONITORING": "Organizations monitor the implementation and effectiveness of risk responses on an ongoing basis..." This confirms that evaluating progress (B) is a separate

subsequent phase.

2. NIST Special Publication 800-37 Revision 2

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

Page 58

Section 3.5

"TASK A-2: DETERMINE RISK": The output of the risk assessment includes "a list of identified risks to be addressed in the risk response phase of the risk management process." This shows that identification (C) precedes mitigation.

Page 81

Appendix F

"PLAN OF ACTION AND MILESTONES": "The plan of action and milestones is a key document in the risk management process... [it] is the primary vehicle for documenting the planned activities to correct weaknesses and deficiencies..." This directly supports the documentation and implementation of a mitigation plan (D).

3. Carnegie Mellon University

Software Engineering Institute (SEI)

Continuous Risk Management Guidebook.

Page 21

Chapter 4

"Mitigation": "Risk mitigation is the process of developing

selecting

and implementing a course of action to reduce risk to an acceptable level... The process begins with the development of risk mitigation plans." This source defines the mitigation phase as including the development of a strategy and the implementation of a plan (A and D).