SPARC

Risk Assessment

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 38

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

RA-1

Risk Assessment Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}: 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management c...

► View parameters

Param ID	Label	Constraint / Choices
ra-1_prm_1	organization-defined personnel or roles	Organization-defined
ra-1_prm_2	organization-defined frequency	Organization-defined
ra-1_prm_3	organization-defined frequency	Organization-defined

—

RA-2

Security Categorization

The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; ...

—

RA-3

Risk Assessment 5 params

The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the...

► View parameters

Param ID	Label	Constraint / Choices
ra-3_prm_1		Select one: security plan; risk assessment report; {{ insert: param, ra-3_prm_2 }}
ra-3_prm_2	organization-defined document	Organization-defined
ra-3_prm_3	organization-defined frequency	Organization-defined
ra-3_prm_4	organization-defined personnel or roles	Organization-defined
ra-3_prm_5	organization-defined frequency	Organization-defined

—

RA-4

Risk Assessment Update

—

RA-5

Vulnerability Scanning 3 params

The organization: a. Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system/appl...

► View parameters

Param ID	Label	Constraint / Choices
ra-5_prm_1	organization-defined frequency and/or randomly in accordance with organization-defined process	Organization-defined
ra-5_prm_2	organization-defined response times	Organization-defined
ra-5_prm_3	organization-defined personnel or roles	Organization-defined

—

RA-5(1)

Update Tool Capability

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

—

RA-5(2)

Update by Frequency / Prior to New Scan / When Identified 2 params

The organization updates the information system vulnerabilities scanned {{ insert: param, ra-5.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ra-5.2_prm_1		Select one-or-more: {{ insert: param, ra-5.2_prm_2 }} ; prior to a new scan; when new vulnerabilities are identified and reported
ra-5.2_prm_2	organization-defined frequency	Organization-defined

—

RA-5(3)

Breadth / Depth of Coverage

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

—

RA-5(4)

Discoverable Information 1 param

The organization determines what information about the information system is discoverable by adversaries and subsequently takes {{ insert: param, ra-5.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ra-5.4_prm_1	organization-defined corrective actions	Organization-defined

—

RA-5(5)

Privileged Access 2 params

The information system implements privileged access authorization to {{ insert: param, ra-5.5_prm_1 }} for selected {{ insert: param, ra-5.5_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ra-5.5_prm_1	organization-identified information system components	Organization-defined
ra-5.5_prm_2	organization-defined vulnerability scanning activities	Organization-defined

—

RA-5(6)

Automated Trend Analyses

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

—

RA-5(7)

Automated Detection and Notification of Unauthorized Components

—

RA-5(8)

Review Historic Audit Logs

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

—

RA-5(9)

Penetration Testing and Analyses

—

RA-5(10)

Correlate Scanning Information

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

—

RA-6

Technical Surveillance Countermeasures Survey 4 params

The organization employs a technical surveillance countermeasures survey at {{ insert: param, ra-6_prm_1 }} {{ insert: param, ra-6_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ra-6_prm_1	organization-defined locations	Organization-defined
ra-6_prm_2		Select one-or-more: {{ insert: param, ra-6_prm_3 }} ; {{ insert: param, ra-6_prm_4 }}
ra-6_prm_3	organization-defined frequency	Organization-defined
ra-6_prm_4	organization-defined events or indicators occur	Organization-defined

—

└ ra-1a

Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:

—

└ ra-1a.1

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities,...

—

└ ra-1a.2

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

—

└ ra-1b

Reviews and updates the current:

—

└ ra-1b.1

Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and

—

└ ra-1b.2

Risk assessment procedures {{ insert: param, ra-1_prm_3 }}.

—

└ ra-2a

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations,...

—

└ ra-2b

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

—

└ ra-2c

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

—

└ ra-3a

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modifica...

—

└ ra-3b

Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};

—

└ ra-3c

Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};

—

└ ra-3d

Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and

—

└ ra-3e

Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of o...

—

└ ra-5a

Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentiall...

—

└ ra-5b

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management...

—

└ ra-5b.1

Enumerating platforms, software flaws, and improper configurations;

—

└ ra-5b.2

Formatting checklists and test procedures; and

—

└ ra-5b.3

Measuring vulnerability impact;

—

└ ra-5c

Analyzes vulnerability scan reports and results from security control assessments;

—

└ ra-5d

Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and

—

└ ra-5e

Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help e...

—