When the results of the risk assessment determine that the level of residual risk is acceptable, the documented threats, vulnerabilities, countermeasures, and system configuration become part of the overall system baseline.