RA-3: Risk Assessment
From NIST's SP800-53:
a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| ID.SC-2 | Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
| ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
| DE.AE-4 | Impact of events is determined |
| ID.RA-3 | Threats, both internal and external, are identified and documented |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| PR.IP-12 | A vulnerability management plan is developed and implemented |
| ID.RA-4 | Potential business impacts and likelihoods are identified |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |