Risk Management Policy¶
Document ID: AUL-POL-03 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy establishes the risk management framework for Aulendur Labs, Inc. It defines how cybersecurity and operational risks are identified, assessed, prioritized, treated, and monitored to protect Aulendur's information assets, Controlled Unclassified Information (CUI), and contractual obligations. This policy directly implements NIST SP 800-171 Rev. 3 controls 03.11.01 (Risk Assessment) and 03.11.04 (Risk Response).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, and advisors involved in risk identification, assessment, or treatment decisions.
- Systems: All information systems owned or operated by Aulendur Labs, including production (Linode, Cloudflare, AWS), development, corporate IT (Google Workspace, GitHub, 1Password, Slack), and the planned CUI Enclave (AWS GovCloud).
- Data: All data classifications — Public, Internal, Confidential, CUI, and ITAR-controlled technical data.
- Processes: All business and technical processes that create, process, store, or transmit Aulendur data.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves the organizational risk appetite; accepts residual risk; allocates risk treatment resources. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; conducts or commissions risk assessments; maintains the Risk Register; reports risk posture quarterly. |
| ISSO (acting: CTO/ISSM) | Assists with risk identification and evidence collection; monitors control effectiveness. |
| System Owners | Identify and report risks within their systems; implement risk treatment actions assigned to them. |
| Data Owners | Identify data-specific risks; validate classification-driven risk ratings. |
| All Personnel | Report identified risks, threats, and vulnerabilities to the CTO/ISSM. |
4. Policy Statements¶
4.1 Risk Management Framework¶
4.1.1 Aulendur Labs shall operate a risk management framework aligned with NIST SP 800-37 Rev. 2 (Risk Management Framework) and tailored to the organization's ~5-person scale.
4.1.2 The risk management lifecycle shall consist of: (a) risk identification, (b) risk analysis, (c) risk evaluation, (d) risk treatment, and (e) risk monitoring and review.
4.1.3 The CTO/ISSM shall document the risk management framework in this policy and the SSP (forthcoming). The framework shall be reviewed and updated at least annually.
4.2 Risk Assessment¶
4.2.1 The CTO/ISSM shall conduct a comprehensive risk assessment at least annually. The assessment shall cover all systems within scope of NIST SP 800-171 R3 and CMMC 2.0 Level 2.
4.2.2 Interim risk assessments shall be conducted within 30 calendar days of any of the following: (a) a significant change to the system architecture or technology stack, (b) a new contract introducing CUI or ITAR-controlled data, (c) a security incident rated Medium severity or higher, or (d) a material change to the threat landscape affecting the defense industrial base.
4.2.3 Risk assessments shall identify: (a) threat sources and threat events relevant to Aulendur's mission and contracts, (b) vulnerabilities in systems and processes, (c) the likelihood of threat event occurrence, (d) the potential impact to confidentiality, integrity, and availability, and (e) existing controls and their effectiveness.
4.2.4 The CTO/ISSM shall use the following risk rating matrix:
| Likelihood \ Impact | Negligible | Low | Moderate | High | Critical |
|---|---|---|---|---|---|
| Very Likely | Low | Medium | High | Critical | Critical |
| Likely | Low | Medium | High | High | Critical |
| Possible | Low | Low | Medium | High | High |
| Unlikely | Low | Low | Low | Medium | High |
| Rare | Low | Low | Low | Low | Medium |
4.2.5 Impact ratings shall account for: (a) loss of CUI confidentiality (DFARS contractual breach, potential debarment), (b) loss of ITAR-controlled data (criminal penalties under 22 USC 2778), (c) disruption to DTRA SBIR Phase I deliverables, (d) reputational damage, and (e) financial loss.
4.3 Risk Appetite and Tolerance¶
4.3.1 The CEO shall approve the organizational risk appetite statement. Aulendur Labs adopts a low risk appetite for: (a) unauthorized disclosure of CUI or ITAR-controlled data, (b) non-compliance with DFARS 252.204-7012, and (c) Section 889 violations.
4.3.2 Aulendur Labs adopts a moderate risk appetite for operational risks not directly impacting regulatory compliance or contractual obligations.
4.3.3 No risk rated Critical shall be accepted without CEO written approval and a documented compensating control.
[!NOTE] DECISION POINT: Risk appetite is set to "low" for all CUI/ITAR/DFARS matters and "moderate" for general operational risks. This reflects the pre-seed stage where regulatory compliance is existential but some operational agility is needed. The CEO should review and formally approve this appetite statement.
4.4 Risk Treatment¶
4.4.1 For each identified risk, the CTO/ISSM shall select one of the following treatment options: (a) mitigate — implement controls to reduce likelihood or impact, (b) transfer — shift risk via insurance or contractual arrangement, (c) avoid — eliminate the activity creating the risk, or (d) accept — acknowledge the risk with documented rationale and CEO approval for High/Critical risks.
4.4.2 Risk treatment actions shall be documented in the Risk Register with: (a) the assigned owner, (b) the target completion date, (c) the treatment option selected, and (d) the expected residual risk rating after treatment.
4.4.3 Risks requiring remediation that cannot be completed within 30 calendar days shall be entered into the POA&M with milestones and target dates.
4.5 Risk Register¶
4.5.1 The CTO/ISSM shall maintain a Risk Register at registers/risk-register.md (forthcoming). The register shall include, at minimum: risk ID, description, threat source, vulnerability, likelihood, impact, inherent risk rating, treatment option, control(s) applied, residual risk rating, risk owner, and status.
4.5.2 The Risk Register shall be reviewed and updated quarterly, or after any interim risk assessment.
4.5.3 The CTO/ISSM shall report the top 5 risks by residual rating to the CEO quarterly.
4.6 Vulnerability Monitoring¶
4.6.1 The CTO/ISSM shall monitor vulnerability advisories from CISA, NVD, and vendor security bulletins relevant to Aulendur's technology stack (Linode, Cloudflare, AWS, GitHub Actions, Google Workspace, 1Password, Python/Node.js dependencies) (NIST SP 800-171 R3 03.11.02).
4.6.2 Vulnerability scan results and penetration test findings shall be incorporated into the risk assessment process and tracked in the Risk Register.
4.7 Risk Monitoring and Review¶
4.7.1 The CTO/ISSM shall review control effectiveness and risk posture quarterly. This review shall inform the CEO's quarterly security posture briefing.
4.7.2 Changes to the risk environment — including new contracts, new systems, personnel changes, and threat intelligence — shall trigger a review of affected risk entries within 15 calendar days.
4.7.3 The annual risk assessment results shall be documented and retained for a minimum of 3 years.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Information Security Policy
- Patch & Vulnerability Management Policy (forthcoming)
- Compliance Management Policy (forthcoming)
- POA&M Policy (forthcoming)
- Risk Register —
registers/risk-register.md(forthcoming) - Vulnerability Severity & SLA Standard (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in disciplinary action up to and including termination of employment or contract. Failure to report identified risks or to execute assigned risk treatment actions shall be addressed through the performance management process. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy (forthcoming). Exceptions are time-bounded (maximum 180 calendar days), backed by compensating controls, and tracked in the Exception Register.
8. Definitions¶
| Term | Definition |
|---|---|
| Risk | The effect of uncertainty on objectives, expressed as a combination of the likelihood of a threat event and its potential impact. |
| Risk Appetite | The level of risk the organization is willing to accept in pursuit of its objectives. |
| Risk Register | A structured record of identified risks, their assessment, treatment decisions, and current status. |
| POA&M | Plan of Action and Milestones — a document identifying tasks to correct security deficiencies and reduce risk, with milestones and target dates. |
| Residual Risk | The risk remaining after controls and treatment actions have been applied. |
| Threat Source | An entity (adversary, accident, or environment) with the potential to exploit a vulnerability. |
| Vulnerability | A weakness in a system, process, or control that could be exploited by a threat source. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations
- NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- ISO 31000:2018, Risk Management — Guidelines (reference only)
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.11.01 | Risk Assessment | Full |
| NIST SP 800-171 R3 | 03.11.02 | Vulnerability Monitoring and Scanning | Partial — scanning details in AUL-POL-38 |
| NIST SP 800-171 R3 | 03.11.04 | Risk Response | Full |
| CMMC 2.0 L2 | RM.L2-3.11.1 | Risk Assessments | Full |
| CMMC 2.0 L2 | RM.L2-3.11.2 | Vulnerability Scan | Partial — scanning details in AUL-POL-38 |
| CMMC 2.0 L2 | RM.L2-3.11.3 | Risk Response | Full |
| NIST SP 800-53 R5 | RA-3 | Risk Assessment | Full |
| NIST SP 800-53 R5 | RA-5 | Vulnerability Monitoring and Scanning | Partial — scanning details in AUL-POL-38 |
| NIST SP 800-53 R5 | PM-9 | Risk Management Strategy | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.