← Back to catalog
RA-3

Risk Assessment

Risk Assessment (RA)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; Document risk assessment results in [assignment]; Review risk assessment results [assignment]; Disseminate risk assessment results to [assignment] ; and Update the risk assessment [assignment] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Discussion

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities. Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

Implementation guidance

No content available.

CSF 2.0 crosswalk
DE.AE-06Information on adverse events is provided to authorized staff and toolsDetect
DE.AE-07Cyber threat intelligence and other contextual information are integrated into the analysisDetect
GV.RM-06A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicatedGovern
GV.RM-07Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussionsGovern
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processesGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementGovern
ID.AM-05Assets are prioritized based on classification, criticality, resources, and impact on the missionIdentify
ID.IM-01Improvements are identified from evaluationsIdentify
ID.IM-02Identify
ID.IM-03Improvements are identified from execution of operational processes, procedures, and activitiesIdentify
ID.RA-01Vulnerabilities in assets are identified, validated, and recordedIdentify
ID.RA-03Internal and external threats to the organization are identified and recordedIdentify
ID.RA-04Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recordedIdentify
ID.RA-05Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritizationIdentify
RS.AN-08An incident's magnitude is estimated and validatedRespond