Mission Risk Reduction for Security Mitigation Efforts

TOPIC SPONSOR: ACC/A6O

What is a model that clearly depicts mission risk reduction in relation to resources expended (cost, time, man-hours) for security mitigation efforts (STIG/patches/configurations/etc) allowing the mission owner and Authorizing Officials the ability to defend decisions to monitor but not mitigate risks that may have no demonstrated activities or clearly do not provide impact to the overall mission security if implemented?