πΌ RA-3 Risk Assessment (L)(M)(H)
- Contextual name: πΌ RA-3 Risk Assessment (L)(M)(H)
- ID:
/frameworks/fedramp-moderate-security-controls/ra/03 - Located in: πΌ Risk Assessment
Descriptionβ
a. Conduct a risk assessment, including:
-
Identifying threats to and vulnerabilities in the system;
-
Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
-
Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in [FedRAMP Assignment: security assessment report];
d. Review risk assessment results [FedRAMP Assignment: at least every three (3) years and when a significant change occurs];
e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
f. Update the risk assessment [FedRAMP Assignment: at least every three (3) years] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
RA-3 Additional FedRAMP Requirements and Guidance:
Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.
(e) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
Similarβ
- Sections
/frameworks/fedramp-high-security-controls/ra/03
- Internal
- ID:
dec-c-79d45480
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP High Security Controls β πΌ RA-3 Risk Assessment (L)(M)(H) | 1 | 7 | 7 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ RA-3(1) Supply Chain Risk Assessment (L)(M)(H) |
Policies (7)β
| Policy | Logic Count | Flags |
|---|---|---|
| π Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For App Services is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Containers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Key Vault is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Servers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Storage is not set to On π’ | 1 | π’ x6 |