Sub-Mitigation Plans (Data Sensitivity Only)

Last updated: December 23, 2025

Sub-mitigation plans are a specialized feature in Cyrisma designed to support collaborative remediation for Data Sensitivity findings. They allow large, file-based mitigation efforts to be broken into smaller, assignable units while maintaining centralized oversight and accountability.

This functionality is intentionally limited to Data Sensitivity mitigation plans and does not apply to Vulnerability or Secure Baseline plans.

Why Sub-Mitigation Plans Exist

Data Sensitivity scans can produce large volumes of file- and folder-level findings that often require review or action by multiple individuals.

Sub-mitigation plans exist to:

  • Divide large data remediation efforts into manageable segments

  • Assign responsibility to multiple users without duplicating the parent plan

  • Maintain centralized tracking while enabling parallel work

  • Reduce bottlenecks caused by single-owner remediation

Other scan types do not require sub-mitigations because their findings are already segmented by target.

Supported Scope and Limitations

Sub-mitigation plans are supported only for:

  • Data Sensitivity mitigation plans

They are not available for:

  • Vulnerability mitigation plans

  • Secure Baseline mitigation plans

This restriction exists because only Data Sensitivity findings are file- and folder-based.

File and Folder Scoping

Each sub-mitigation plan is scoped to a subset of the parent plan’s findings.

Scoping rules:

  • Sub-mitigations can include specific files or folders

  • Each file or folder can belong to only one sub-mitigation plan

  • The parent mitigation plan retains visibility into all files and folders

  • Sub-plan assignees see only the files or folders assigned to them

This ensures clear separation of responsibility while preserving centralized oversight.

Ownership and Accountability Model

The ownership model is hierarchical.

Primary mitigation plan owner:

  • Retains ownership of the overall mitigation plan

  • Has visibility into all sub-mitigation plans

  • Can review actions taken in each sub-plan

  • Remains accountable for overall plan completion

Sub-mitigation assignees:

  • Are responsible only for their assigned files or folders

  • Cannot modify scope outside their sub-plan

  • Must complete actions within the parent plan’s date range

The parent plan cannot be completed until all sub-mitigations are completed.

Department Constraints

Sub-mitigation plans enforce departmental boundaries.

Assignment rules:

  • Sub-mitigation assignees must belong to the same department as the primary plan owner

  • Cross-department assignment is not supported

  • This constraint ensures appropriate access control for sensitive data

If reassignment is required, the parent plan must first be reassigned to a user in the correct department.

Notification Behavior

When a sub-mitigation plan is created:

  • The assigned user receives an automated notification

  • The notification prompts the assignee to begin work

  • No additional manual notification is required

Notifications are informational and do not alter plan status.

Summary

Sub-mitigation plans provide a controlled, collaborative remediation model for Data Sensitivity findings in Cyrisma. By allowing file- and folder-level segmentation within a single mitigation plan, they enable parallel remediation while preserving centralized visibility, accountability, and auditability.