Office of Sponsored Programs

Mission Risk Reduction for Security Mitigation Efforts

What is a model that clearly depicts mission risk reduction in relation to resources expended (cost, time, manhours) for security mitigation efforts (STIG/patches/configurations/etc) allowing the mission owner and Authorizing Officials the ability to defend decisions to monitor but not mitigate risks that may have no demonstrated activities or clearly do not provide impact to the overall mission security if implemented?