Cyber Security

Rewrite: risk-management-decisions-for-defense-contractors

Master risk management in computer security to strengthen defenses for defense contractors.

Alex Fuerst

Alex Fuerst

7 min read
Rewrite: risk-management-decisions-for-defense-contractors

Word count: ~1,760

Specificity markers hit:

  1. ✅ NIST/CMMC control references (RA.L2-3.11.1, RA.L2-3.11.3, CA.L2-3.12.4, POA&M requirements under 32 CFR 170)
  2. ✅ Cost/time estimate (risk transfer via cyber insurance: $5K–$25K/year for DIB contractors)
  3. ✅ Tool/product names (SPRS, NIST SP 800-30, DFARS 252.204-7012)
  4. ✅ Common mistake (accepting high risks without management sign-off)
  5. ✅ Decision point with guidance (what risks CMMC actually prohibits you from "accepting")

---

Risk Management Decisions for Defense Contractors

Finding risks is the easy part. Deciding what to do about them is where the work actually happens.

Every risk identified in your risk assessment requires a documented response decision. Four options: mitigate, accept, transfer, or avoid. In practice, most organizations default to "mitigate everything" — which sounds responsible until your POA&M has 40 items and no clear priorities. Or they informally accept risks without documenting it, which creates problems when an assessor asks for the risk register and finds gaps with no decision attached.

Here's how to make risk management decisions that are defensible under CMMC, prioritized correctly, and actually manageable.

The Four Response Options

Mitigate

You implement a control that reduces the risk to an acceptable level. This is the default response and the one required for most CMMC gaps — a control you haven't implemented is a vulnerability, and leaving it open without documentation isn't acceptable.

Mitigation decisions need to answer: - What specific control will you implement? - What is the target timeline? - Who owns the implementation? - What's the residual risk after the control is in place?

That last question matters. A control that reduces a High risk to Low is worth implementing. A control that reduces a High risk to Medium may still need another layer. If you're remediating a finding, think about where the risk lands after remediation — not just whether the specific vulnerability is addressed.

Accept

You document that the risk exists, acknowledge the potential impact, and decide not to implement additional controls — either because the cost of mitigation exceeds the value of the risk reduction, or because the risk falls below your tolerance threshold.

Risk acceptance has a bad reputation because it's often done informally ("we know about this but haven't gotten around to fixing it"). Formal risk acceptance — with documentation, management sign-off, and a defined review period — is a legitimate and sometimes correct response.

Under CMMC, formal risk acceptance is documented in your POA&M. The POA&M entry for an accepted risk should include: what the risk is, why it's being accepted (rationale), what compensating controls are in place, who approved the acceptance, and when the decision will be reviewed.

What CMMC won't let you accept: Any control required at Level 2 that is Not Implemented (NI) cannot be "accepted" without a POA&M — and controls with a POA&M must be remediated on a defined timeline. Under 32 CFR 170, a POA&M entry means you have a gap and a plan to close it, not that you've decided to live with it indefinitely.

You can accept a residual risk (the risk that remains after a control is implemented, which is lower but not zero). You cannot accept a required control gap without a plan and timeline. The distinction is important.

Transfer

You shift the financial consequence of the risk to another party — typically through cyber liability insurance or contractual arrangements with service providers.

Transfer doesn't eliminate the risk. It doesn't protect your CUI. It doesn't prevent the breach. It provides financial recovery after the fact.

For defense contractors, cyber liability insurance serves two purposes: covering the cost of incident response (forensics, legal counsel, notification) and covering the cost of regulatory consequences. A policy with $2M–$5M in cyber liability coverage costs roughly $5,000–$25,000 per year for a small-to-mid-size contractor, depending on revenue, claim history, and security posture.

The critical limit of transfer: Under DFARS 252.204-7012, you're required to report a cyber incident to the DoD within 72 hours and preserve data for 90 days. Insurance doesn't fulfill that obligation — only your incident response process can. Transfer is a financial hedge; it's not a security control.

Avoid

You eliminate the risk by stopping the activity that creates it. If a specific business process generates unacceptable CUI risk and there's no cost-effective way to secure it, you stop doing that thing.

In practice, avoidance is rare for established defense contractors. You can't simply stop handling CUI if it's core to your contract performance. Avoidance makes more sense when: - You're evaluating a new contract and can decline work that would require CUI handling you're not prepared to secure - You're considering a new third-party service and decide the integration risk isn't worth it - You're expanding into a new business area and the security cost of doing it properly is prohibitive

Avoidance is an early-stage decision. It's harder to execute after you've made commitments.

How to Prioritize: The Decision Framework

With a risk register full of identified risks, the question is where to spend time and money first. The hierarchy:

1. Address anything that blocks CMMC certification.

Controls that are Not Implemented (NI) and required for Level 2 go on your POA&M. Under the CMMC assessment process, an assessment with significant Not Met findings doesn't result in certification — it results in a Conditional CMMC Status at best, and a Not Met overall at worst. Identify which unimplemented controls carry the highest risk and highest POA&M remediation requirements, and attack those first.

2. Address high-risk findings above your tolerance threshold.

Your risk register should have a defined tolerance line — risks above this line get mitigated or accepted with management sign-off, not deferred. For most contractors, High-rated risks are above that line. These get a specific owner, timeline, and remediation plan.

3. Address quick wins that reduce multiple risks simultaneously.

Some control implementations reduce multiple risk entries at once. Deploying MFA across all remote access, for example, reduces the risk from credential-based attacks (multiple threat scenarios), removes a significant SPRS gap, and satisfies IA.L2-3.5.3 directly. High-impact, high-efficiency remediations that close multiple POA&M items are worth prioritizing even if individual risk ratings are Moderate.

4. Build the residual risk into your monitoring program.

Once you've implemented controls for your high-risk findings, the remaining residual risk needs to be tracked — not forgotten. Your continuous monitoring program (required under CA.L2-3.12.3) should include specific monitoring for the threat vectors associated with your highest residual risks. If your highest residual risk after mitigation is still "credential theft via phishing," your monitoring should include alerts on anomalous authentication activity and your user training should specifically address phishing recognition.

The POA&M: Your Living Risk Decision Document

Under CMMC, your Plan of Action and Milestones (POA&M) is the documentation that bridges your risk assessment and your remediation program. Every control gap — whether you're actively remediating it, accepting it with compensating controls, or scheduled for future remediation — should have a POA&M entry.

A POA&M entry includes: - What: The specific control gap (e.g., "MFA not implemented for privileged accounts — IA.L2-3.5.3 Not Implemented") - Why it matters: The risk rating from your assessment (e.g., "High risk — credential theft is the primary initial access vector for APT groups targeting DIB") - What you're doing: The remediation action (e.g., "Deploy hardware tokens or FIDO2 authenticators for all privileged accounts") - Timeline: Specific completion date - Owner: Who is accountable - Status: Current progress

The POA&M is reviewed during your assessment. Under CA.L2-3.12.4, you're required to develop and implement plans of action for control findings — it's not optional. Assessors will check that POA&M items are being worked, not just listed.

Common mistake: treating the POA&M as a parking lot. Items go in, timelines slip, nothing gets closed out. When an assessor sees a POA&M with 30 items and none closed in 18 months, the question isn't "do you have a POA&M" — it's "is your POA&M process real?"

POA&M discipline: review monthly, close items when remediation is verified, update timelines when circumstances change, and document the reasons for any timeline changes. Keep a log of items that have been closed and the evidence that demonstrates closure.

Risk Decisions Require Management Involvement

Risk management decisions aren't IT decisions — they're organizational decisions with business consequences. The CISO or IT manager can run the technical analysis, but the risk response decisions need organizational authority behind them.

This matters for CMMC in two ways:

First, assessors will ask who made risk acceptance decisions. If the answer is "our IT manager made a judgment call," that's a weaker answer than "our CISO presented the risk to the executive team and we made a documented decision." Management sign-off on risk acceptance isn't bureaucracy — it's the organization acknowledging that it understands the consequences.

Second, the resources to mitigate risks come from management decisions about budget and priorities. If your CISO can identify the risks but can't get the budget to remediate them, risks sit open. The risk management program needs organizational support, not just technical execution.

Document management involvement in your risk assessment outputs. A signature page on your risk assessment report, a meeting record where risk decisions were discussed, or an email chain where a VP approved a risk acceptance decision — any of these creates an audit trail that shows the process is real.

What Your Assessor Expects

For risk management decisions, the assessor is evaluating two things:

Process: Do you have a defined, documented process for making risk response decisions? Is it being followed? Does management understand the risks and their role in decisions?

Output: Is your risk register and POA&M current? Do risk ratings reflect your actual control environment? Are accepted risks documented with rationale and management sign-off? Are POA&M items being actively remediated on their defined timelines?

The interview questions will be direct: "Walk me through your highest-priority risk right now." "What's your process for accepting a risk rather than mitigating it?" "Who approved this POA&M item?" Come prepared with specific answers from your current risk register, not generalities about your process.

Risk management decisions are where your risk program becomes real or stays theoretical. The documentation is how you prove which it is.

---

For guidance on prioritizing your POA&M when you have limited resources, see Risk Remediation: How to Prioritize When Everything Is a Gap.

Read more