RA-03 Risk Assessment
a. Conduct a risk assessment, including:
1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in ra-03_odp.01;
d. Review risk assessment results ra-03_odp.03;
e. Disseminate risk assessment results to ra-03_odp.04 ; and
f. Update the risk assessment ra-03_odp.05 or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
|ra-03_odp.04||personnel or roles|
Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.
Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
- SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
- SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
- IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
- IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
- IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
Control Enhancements 4
- RA-03(01) Supply Chain Risk Assessment L M H P
- RA-03(02) Use of All-source Intelligence L M H P
- RA-03(03) Dynamic Threat Awareness L M H P
- RA-03(04) Predictive Cyber Analytics L M H P
Related controls 26
- CA-03 Information Exchange L M H P
- CA-06 Authorization L M H P
- CM-04 Impact Analyses L M H P
- CM-13 Data Action Mapping L M H P
- CP-06 Alternate Storage Site L M H P
- CP-07 Alternate Processing Site L M H P
- IA-08 Identification and Authentication (non-organizational Users) L M H P
- MA-05 Maintenance Personnel L M H P
- PE-03 Physical Access Control L M H P
- PE-08 Visitor Access Records L M H P
- PE-18 Location of System Components L M H P
- PL-02 System Security and Privacy Plans L M H P
- PL-10 Baseline Selection L M H P
- PL-11 Baseline Tailoring L M H P
- PM-08 Critical Infrastructure Plan L M H P
- PM-09 Risk Management Strategy L M H P
- PM-28 Risk Framing L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-07 Specific Categories of Personally Identifiable Information L M H P
- RA-02 Security Categorization L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- RA-07 Risk Response L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-09 External System Services L M H P
- SC-38 Operations Security L M H P
- SI-12 Information Management and Retention L M H P