ID.RM-3: Establishing Risk Tolerance for Critical Infrastructure
Risk tolerance isn't one-size-fits-all—especially if your organization operates critical infrastructure. NIST control ID.RM-3 requires you to define acceptable risk levels informed by your sector's unique threat landscape and regulatory obligations. This guide walks you through assessment, documentation, and continuous alignment.
What this means
This control mandates that your organization explicitly determines how much risk it can accept based on two key factors: (1) your role and dependencies within critical infrastructure sectors, and (2) sector-specific risk analyses relevant to your industry. Rather than applying generic risk thresholds, ID.RM-3 requires contextual risk appetite statements that reflect operational realities, regulatory constraints, and stakeholder expectations. The determination must be documented, communicated across leadership, and reviewed periodically as threats and business conditions evolve.
How to comply
- 1.Identify your organization's critical infrastructure sector and dependencies (energy, healthcare, finance, water, communications, etc.)
- 2.Conduct a sector-specific risk analysis using industry frameworks, threat intelligence, and regulatory guidance relevant to your vertical
- 3.Define risk tolerance thresholds for key asset classes, threat vectors, and business functions—quantified where possible (e.g., acceptable downtime, data loss tolerance)
- 4.Document risk tolerance statements with executive sign-off, including rationale and assumptions
- 5.Communicate risk tolerance to relevant teams (security, operations, board) to align decision-making
- 6.Review and update risk tolerance annually or when critical infrastructure role, threat landscape, or regulations change
Evidence auditors look for
- Documented risk tolerance statement signed by CISO and business leadership with sector-specific justifications
- Critical infrastructure sector classification and dependency mapping
- Sector-specific risk analysis report (e.g., CISA alerts, industry association guidance, regulatory standards for your sector)
- Risk appetite matrices showing acceptable thresholds for confidentiality, integrity, and availability by asset tier
- Board minutes or governance meeting records approving organizational risk tolerance
- Evidence of risk tolerance communication to security and operations teams
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the collection and documentation of sector-specific risk analyses and governance approvals, then tracks risk tolerance changes and compliance reviews—eliminating manual tracking and ensuring your ID.RM-3 determination stays audit-ready.
See how GRCWatch handles this control automatically
Start free trial