Mitigation Plans: Concepts and Scope

Last updated: December 23, 2025

Mitigation Plans in Cyrisma provide a structured way to document, assign, and track remediation efforts based on scan results. They function as a governance and workflow layer rather than an automated remediation engine.

This article explains what mitigation plans are, which scan types they support, how they behave over time, and what they intentionally do not do.

What Mitigation Plans Are

A mitigation plan is a scan-derived record used to track how identified risks are being addressed. It captures the state of findings at a specific point in time and assigns responsibility for managing those findings.

Mitigation plans are designed to support:

  • Accountability for remediation activities

  • Documentation of decisions and actions taken

  • Progress tracking over a defined time window

  • Audit and review of risk handling

They are not designed to dynamically remediate issues or reflect real-time system state.

Scan-Based and Static by Design

Mitigation plans are created from completed scan results and are static once created.

Key characteristics:

  • A mitigation plan represents the findings from a specific scan

  • Findings do not change after the plan is created

  • New scans do not update existing mitigation plans

  • Remediation actions taken outside the plan are not automatically reflected

If remediation occurs after a mitigation plan is created, the results of that remediation are only visible in subsequent scans, not retroactively in the existing plan.

This design ensures mitigation plans remain a reliable historical record of what was identified and how it was handled at that time.

Supported Scan Types

Mitigation plans can be created from the following scan types.

Vulnerability Scans

Vulnerability-based mitigation plans are target-based and root-cause driven.

They are used to track actions taken against:

  • CVEs

  • Vulnerable software

  • Patchable and non-patchable root causes

These plans focus on documenting remediation decisions rather than executing fixes.

Secure Baseline Scans

Secure baseline mitigation plans are target-based and configuration-driven.

They are used to track handling of:

  • Configuration misalignments

  • Policy deviations

  • Secure baseline benchmark findings

They support documenting exceptions, compensating controls, or configuration changes made outside the platform.

Data Sensitivity Scans

Data sensitivity mitigation plans are file- and folder-based.

They are used to manage:

  • Sensitive data findings

  • File-level remediation actions

  • Ownership and responsibility for data handling

Data sensitivity mitigation plans uniquely support sub-mitigations, allowing work to be divided across multiple assignees.

What Mitigation Plans Do Not Do

Mitigation plans intentionally do not function as an automated remediation system.

They do not:

  • Automatically patch systems

  • Automatically remediate vulnerabilities

  • Update based on future scans

  • Reflect live system state

  • Automatically close when remediation occurs outside the plan

They are not a replacement for Patch Manager or agent-based remediation.

Relationship to Patching and Remediation

Patching and mitigation plans are conceptually related but operationally separate.

  • Patch Manager performs direct remediation on supported software

  • Mitigation plans track and document remediation decisions

  • Patching actions do not automatically update mitigation plans

  • Users may document patching activity manually within a mitigation plan

This separation is intentional. Mitigation plans serve as a governance and tracking mechanism, while Patch Manager serves as a remediation engine.

Why Mitigation Plans Do Not Auto-Update

Mitigation plans are based on static scan data to preserve integrity and auditability.

Automatically updating plans after patching or rescanning would:

  • Alter historical records

  • Obscure what was originally identified

  • Reduce clarity for audits and reviews

Instead, Cyrisma relies on new scans to reflect the current security posture, while mitigation plans preserve the decision-making trail tied to earlier findings.

Summary

Mitigation plans in Cyrisma provide a structured, scan-based method for tracking how risks are handled across vulnerability, secure baseline, and data sensitivity findings. They are static by design, intentionally decoupled from automated remediation, and focused on accountability and documentation rather than execution.

They should be used alongside Patch Manager and ongoing scanning to support a complete remediation lifecycle.