Skip to main content

πŸ’Ό RA-3 Risk Assessment

  • Contextual name: πŸ’Ό RA-3 Risk Assessment
  • ID: /frameworks/nist-sp-800-53-r5/ra/03
  • Located in: πŸ’Ό RA Risk Assessment

Description​

a. Conduct a risk assessment, including:

  1. Identifying threats to and vulnerabilities in the system;
  2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
  3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Similar​

  • Internal
    • ID: dec-c-b1346030

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό RA-3 Risk Assessment (L)(M)(H)177
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό RA-3 Risk Assessment (L)(M)(H)17
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-03: Internal and external threats to the organization are identified and recorded7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-08: An incident's magnitude is estimated and validated

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό RA-3(1) Risk Assessment _ Supply Chain Risk Assessment
πŸ’Ό RA-3(2) Risk Assessment _ Use of All-source Intelligence
πŸ’Ό RA-3(3) Risk Assessment _ Dynamic Threat Awareness
πŸ’Ό RA-3(4) Risk Assessment _ Predictive Cyber Analytics