NIST 800-53 r5 · Controls catalogue · Family PM
PM-28Risk Framing
Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; Constraints affecting risk assessments, risk responses, and risk monitoring; Priorities and trade-offs considered by the organization for managing risk; and Organizational risk tolerance; Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (2)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-693 | Protection Mechanism Failure | 476 | Explicit risk framing ensures protection mechanisms are selected, sized, and maintained consistent with organizational risk tolerance, reducing the chance that a mechanism fails because its risk context was never defined. |
CWE-657 | Violation of Secure Design Principles | 19 | Documenting assumptions, constraints, priorities, trade-offs, and risk tolerance directly supports adherence to secure design principles rather than allowing unexamined risk decisions to produce violations. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||