CISSP-ISSEP · Question #144
The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning. Which of the following processes take place in phase 3? Each correct answer represents a complete solution.
The correct answer is A. Agree on a strategy to mitigate risks. B. Evaluate mitigation progress and plan next assessment. D. Document and implement a mitigation plan.. Phase 3 of the RMF (Mitigation Planning) centers on responding to identified risks - which means agreeing on a strategy (A), documenting and implementing the actual mitigation plan (D), and then evaluating progress to inform the next round (B) are all core activities of this phas
Question
The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning. Which of the following processes take place in phase 3? Each correct answer represents a complete solution. Choose all that apply.
Options
- AAgree on a strategy to mitigate risks.
- BEvaluate mitigation progress and plan next assessment.
- CIdentify threats, vulnerabilities, and controls that will be evaluated.
- DDocument and implement a mitigation plan.
How the community answered
(43 responses)- A91% (39)
- C9% (4)
Explanation
Phase 3 of the RMF (Mitigation Planning) centers on responding to identified risks - which means agreeing on a strategy (A), documenting and implementing the actual mitigation plan (D), and then evaluating progress to inform the next round (B) are all core activities of this phase. Option B fits here because tracking mitigation progress and scheduling the next assessment is part of closing the loop within the mitigation planning cycle, not a separate phase. These three options together represent the full arc of mitigation: plan, execute, and review.
Why C is wrong: Identifying threats, vulnerabilities, and controls belongs to Phase 2 (Risk Assessment), not Phase 3. By the time you reach mitigation planning, that identification work is already done - you're now acting on it.
Memory tip: Think of Phase 3 as "APD" - Agree, Plan/implement, Done-checking (evaluate progress). If an activity sounds like discovery (finding threats, identifying controls), it's Phase 2. If it sounds like action and follow-through, it's Phase 3.
Topics
Community Discussion
No community discussion yet for this question.