CMMC Practice Requirement:

Develop and implement risk mitigation plans.

CMMC Requirement Explanation:

When the consequences of risk are determined to be unacceptable, you must act to address it. Addressing risk requires the development of a plan. Risk response will require adjustments to your current security strategies. Not all risk can be mitigated. You need to address residual risk—the risk that remains and is accepted by the organization after response plans are implemented.

Example CMMC Implementation:

Determine how you will deal with the risks identified in your risk assessment report. Create a plan specifying how you will address the risks. Options include risk avoidance, acceptance, monitoring, transfer, and mitigation. Determine the actions you will take to limit risk, security controls you plan to put in place, and the resources needed to implement the plan.


- Scenario 1:

Upon management review of your risk assessment report, they instruct you to address the high risk items. You develop a plan to address the risks and implement it.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance