💼 RA-3 Risk Assessment

• Contextual name: 💼 RA-3 Risk Assessment
• ID: /frameworks/nist-sp-800-53-r5/ra/03
• Located in: 💼 RA Risk Assessment

Description

a. Conduct a risk assessment, including:

1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Similar

• Internal
  • ID: dec-c-b1346030

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 RA-3 Risk Assessment (L)(M)(H)	1	7	7
💼 FedRAMP Low Security Controls → 💼 RA-3 Risk Assessment (L)(M)(H)	1		7
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			32
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			37
💼 NIST CSF v2.0 → 💼 GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
💼 NIST CSF v2.0 → 💼 GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
💼 NIST CSF v2.0 → 💼 GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes			10
💼 NIST CSF v2.0 → 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
💼 NIST CSF v2.0 → 💼 GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
💼 NIST CSF v2.0 → 💼 ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			20
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			33
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			34
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			26
💼 NIST CSF v2.0 → 💼 ID.RA-03: Internal and external threats to the organization are identified and recorded			7
💼 NIST CSF v2.0 → 💼 ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded			7
💼 NIST CSF v2.0 → 💼 ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization			7
💼 NIST CSF v2.0 → 💼 RS.AN-08: An incident's magnitude is estimated and validated			1

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 RA-3(1) Risk Assessment _ Supply Chain Risk Assessment
💼 RA-3(2) Risk Assessment _ Use of All-source Intelligence
💼 RA-3(3) Risk Assessment _ Dynamic Threat Awareness
💼 RA-3(4) Risk Assessment _ Predictive Cyber Analytics