PM-29

Requirement
1. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and
2. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

Discussion

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; documentation of appointment, roles, and responsibilities of a Senior Accountable Official for Risk Management; documentation of actions taken by the Official; documentation of the establishment, policies, and procedures of a Risk Executive (function)].

Interview

[SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security and privacy program responsibilities].

ID	Assessment Objectives
PM-29b.[01]	a Risk Executive (function) is established;
PM-29b.[02]	a Risk Executive (function) views and analyzes risk from an organization-wide perspective;
PM-29b.[03]	a Risk Executive (function) ensures that the management of risk is consistent across the organization.
PM-29a.[02]	a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;
PM-29a.[01]	a Senior Accountable Official for Risk Management is appointed;

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!