πΌ RA-3 Risk Assessment (L)(M)(H)
- Contextual name: πΌ RA-3 Risk Assessment (L)(M)(H)
- ID:
/frameworks/fedramp-high-security-controls/ra/03 - Located in: πΌ Risk Assessment
Descriptionβ
a. Conduct a risk assessment, including:
-
Identifying threats to and vulnerabilities in the system;
-
Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
-
Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in [FedRAMP Assignment: security assessment report];
d. Review risk assessment results [FedRAMP Assignment: at least every three (3) years and when a significant change occurs];
e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
f. Update the risk assessment [FedRAMP Assignment: at least every three (3) years] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
RA-3 Additional FedRAMP Requirements and Guidance:
Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.
(e) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
Similarβ
- Sections
/frameworks/nist-sp-800-53-r5/ra/03
- Internal
- ID:
dec-c-79d45480
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST SP 800-53 Revision 5 β πΌ RA-3 Risk Assessment | 4 |
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP Low Security Controls β πΌ RA-3 Risk Assessment (L)(M)(H) | 1 | 7 | ||
| πΌ FedRAMP Moderate Security Controls β πΌ RA-3 Risk Assessment (L)(M)(H) | 1 | 7 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ RA-3(1) Supply Chain Risk Assessment (L)(M)(H) |
Policies (7)β
| Policy | Logic Count | Flags |
|---|---|---|
| π Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For App Services is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Containers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Key Vault is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Servers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Storage is not set to On π’ | 1 | π’ x6 |
Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-1a2f6279 | 1 | |
| βοΈ dec-x-9f7d853f | 1 | |
| βοΈ dec-x-52ac4ac0 | 1 | |
| βοΈ dec-x-8535d1ff | 1 | |
| βοΈ dec-x-a00b4ec9 | 1 | |
| βοΈ dec-x-a0471977 | 1 | |
| βοΈ dec-x-fafadacd | 1 |