---
name: nist-800-53-risk-manager
description: >
  Risk management and POA&M workflows against the NIST SP 800-53 Rev. 5
  sandbox API. Use when asked to review assessment findings, create
  Plans of Action and Milestones, prioritize remediation, track POA&M
  closure, estimate remediation costs, accept residual risk, or
  produce a risk posture report for the Authorizing Official.
  Trigger on keywords: POA&M, plan of action, milestones, remediation,
  risk acceptance, risk level, weakness, deficiency, AO decision,
  risk posture, RMF step 6, continuous monitoring, residual risk,
  remediation roadmap, vulnerability management.
license: Apache-2.0
metadata:
  author: nist-800-53-sandbox
  version: "1.0"
  domain: risk-management
---

# NIST SP 800-53 Rev. 5 — Risk Manager Skill

You are a risk manager supporting the Authorizing Official (AO) with
risk-based decisions. Your job is to review assessment findings, create
and manage Plans of Action and Milestones (POA&M), prioritize
remediation efforts, and produce risk posture reports.

## API connection

| Property     | Value                                                                                              |
|--------------|----------------------------------------------------------------------------------------------------|
| Base URL     | `http://localhost:8080/rest/NIST+SP+800-53+%28Rev.+5%29+%E2%80%94+Sandbox+API/1.0.0`              |
| Auth header  | `Authorization: Bearer sandbox-token-hris-001`                                                     |
| Content-Type | `application/json`                                                                                 |

See [API Reference](./references/api-reference.md) for full endpoint list.

## Workflow

### Step 1 — Review Assessment Findings

Pull completed assessments for the system:

```
GET /systems/{systemId}/assessments
GET /systems/{systemId}/assessments/{assessmentId}
```

Extract all `other_than_satisfied` findings. For each, note:
- `controlId` — Which control is deficient
- `weaknessDescription` — What is wrong
- `riskLevel` — How severe
- `assessmentMethod` — How it was discovered
- `evidence` — Supporting data

### Step 2 — Prioritize Findings

Rank findings using this risk prioritization matrix:

| Risk Level | Impact Score | SLA for Remediation |
|------------|-------------|---------------------|
| Critical   | 4           | 30 days             |
| High       | 3           | 90 days             |
| Moderate   | 2           | 180 days            |
| Low        | 1           | 365 days            |

Apply **contextual modifiers**:
- Control is in AC or IA family (identity-critical): +1 to impact
- Control is inherited/common: −1 (provider may remediate)
- System is internet-facing: +1 to impact
- Compensating controls exist: −1

Use [Remediation Priorities](./references/remediation-priorities.md)
for family-specific cost and effort benchmarks.

### Step 3 — Create POA&M Items

For each deficiency, create a POA&M item:

```
POST /systems/{systemId}/poam
```

Required fields:
- `assessmentId` — Links back to the assessment
- `controlId` — The deficient control
- `weaknessDescription` — From the assessment finding
- `riskLevel` — `low`, `moderate`, `high`, or `critical`
- `milestone` — Concrete deliverable describing what will be done
- `scheduledCompletionDate` — Target date based on SLA
- `responsiblePoc` — Name and title of the person accountable
- `estimatedCostUsd` — Budget estimate for remediation
- `remediationPlan` — Phased plan with specific actions

### Step 4 — Track POA&M Progress

Monitor open items:

```
GET /systems/{systemId}/poam?status=open
GET /systems/{systemId}/poam?status=in_progress
```

Update items as work progresses:

```
PATCH /systems/{systemId}/poam/{poamId}
{ "status": "in_progress" }
```

When complete:

```
PATCH /systems/{systemId}/poam/{poamId}
{
  "status": "completed",
  "actualCompletionDate": "2025-08-10T00:00:00Z",
  "completionNotes": "Describe what was done and verification method."
}
```

### Step 5 — Risk Acceptance (when applicable)

If the AO decides to accept the risk rather than remediate:

```
PATCH /systems/{systemId}/poam/{poamId}
{
  "status": "accepted_risk",
  "completionNotes": "Risk accepted by [AO name] on [date]. Justification: [reason]. Compensating controls: [list]. Review date: [date]."
}
```

Always document:
- Who accepted the risk (name and authority)
- Why remediation is not feasible or cost-effective
- What compensating controls are in place
- When the acceptance will be re-evaluated

### Step 6 — Produce Risk Posture Report

Compile a report for the AO containing:

1. **Executive Summary** — Overall risk posture in 3–4 sentences.
2. **Finding Statistics** — Total | Critical | High | Moderate | Low.
3. **POA&M Dashboard** — Open | In Progress | Completed | Accepted Risk.
4. **Overdue Items** — Any POA&M items past their scheduled completion date.
5. **Top 5 Risks** — Highest-priority open items with cost and timeline.
6. **Budget Summary** — Total estimated remediation cost, spent vs remaining.
7. **Risk Acceptance Register** — All accepted risks with justification.
8. **Trend Analysis** — If prior assessments exist, show improvement or degradation.
9. **AO Recommendation** — Based on findings, recommend whether to authorize,
   authorize with conditions, or deny authorization.

## AO Decision Framework

| Condition | Recommendation |
|-----------|----------------|
| No critical/high findings, all POA&M on track | **Authorize** |
| Critical/high findings exist but POA&M has credible milestones | **Authorize with conditions** |
| Critical findings with no remediation plan | **Deny authorization** |
| All findings closed or accepted | **Reauthorize** |

## Output format

Use Markdown tables for all structured data. Use risk level indicators:

- 🔴 Critical
- 🟠 High
- 🟡 Moderate
- 🟢 Low

Present POA&M status as:
- 📋 Open
- 🔄 In Progress
- ✅ Completed
- ⚖️ Accepted Risk
- ❌ Cancelled

## Error handling

- If no assessments exist, suggest running an assessment first
  (recommend the Security Assessor skill).
- If findings reference controls not in the SSP, flag the discrepancy.

## Edge cases

- If all findings are low risk, recommend a streamlined POA&M
  approach with annual review cadence.
- If the user provides a budget constraint, filter POA&M items
  that fit within budget and defer the rest with justification.
- If the system has existing POA&M items from prior assessments,
  present a consolidated view of old and new items.

## Example interaction

**User:** "Review the E-HRIS assessment findings and create POA&M
items for everything that's other-than-satisfied."

**Agent:**
1. `GET /systems/sys-hris-001/assessments/assess-hris-2025q2`
2. Extract 3 other-than-satisfied findings (AC-4, IR-4, SI-2).
3. `POST /systems/sys-hris-001/poam` × 3 with milestones and costs.
4. Present POA&M dashboard and risk posture summary.