NIST CSF 2.0 · All Functions · ID Identify · ID.RA Risk Assessment

ID.RA-06

Implementation examples

• Ex1: Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk
• Ex2: Apply the vulnerability management plan's criteria for selecting compensating controls to mitigate risk
• Ex3: Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report)
• Ex4: Use risk assessment findings to inform risk response decisions and actions
• Ex5: Communicate planned risk responses to affected stakeholders in priority order

Mapped NIST 800-53 r5 controls (4)

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

All informative references (54)

• CCMv4.0: A&A-05
• CCMv4.0: A&A-06
• CCMv4.0: AIS-07
• CCMv4.0: CEK-07
• CCMv4.0: TVM-01
• CCMv4.0: TVM-03
• CCMv4.0: TVM-08
• CCMv4.0: TVM-09
• CCMv4.0: TVM-10
• CRI Profile v2.0: ID.RA-06
• CRI Profile v2.0: ID.RA-06.01
• CRI Profile v2.0: ID.RA-06.02
• CRI Profile v2.0: ID.RA-06.03
• CRI Profile v2.0: ID.RA-06.04
• CRI Profile v2.0: ID.RA-06.05
• CRI Profile v2.0: ID.RA-06.06
• CSF v1.1: ID.RA-6
• CSF v1.1: RS.MI-3
• CoP: A5
• ISO/IEC 27001:2022: Mandatory Clause: 6.13
• ISO/IEC 27001:2022: Annex A Controls: 5.7
• NICE Framework: IO-WRL-006
• NICE Framework: OG-WRL-010
• NICE Framework: OG-WRL-011
• NICE Framework: OG-WRL-013
• NICE Framework: OG-WRL-014
• NICE Framework: PD-WRL-006
• NICE Framework: PD-WRL-007
• PCI DSS: 6.3.3
• PCI DSS: 11.3.1
• PCI DSS: 11.3.2
• PCI DSS: 12.10.1
• SCF: RSK-01.1
• SCF: RSK-02.1
• SCF: RSK-06.1
• SDOS: SDOS-GV-02
• SDOS: SDOS-RM-01
• SP 800-171 Rev 3: 03.11.04
• SP 800-221A: MA.RP
• SP 800-53 Rev 5.1.1: PM-09
• SP 800-53 Rev 5.1.1: PM-18
• SP 800-53 Rev 5.1.1: PM-30
• SP 800-53 Rev 5.1.1: RA-07
• SP 800-53 Rev 5.2.0: PM-09
• SP 800-53 Rev 5.2.0: PM-18
• SP 800-53 Rev 5.2.0: PM-30
• SP 800-53 Rev 5.2.0: RA-07
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
• SP-800-37 Rev 2: RMF Assess Step: TASK A-5 Remediation Actions
• SP-800-37 Rev 2: RMF Assess Step: TASK A-6 Plan of Action and Milestones
• SP-800-37 Rev 2: RMF Authorize Step: TASK R-3 Risk Response
• SP-800-37 Rev 2: RMF Monitor Step: TASK M-3 Ongoing Risk Response
• SP-800-37 Rev 2: RMF Monitor Step: TASK M-6 Ongoing Authorization
• SSDF: PO.5.2

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).