RA

Risk Assessment

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures  |  Controls: 66

← Back to Catalog
Control ID Title / Statement Priority Baseline Impact
RA-01
Policy and Procedures 9 params
a. Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}: 1. {{ insert: param, ra-01_odp.03 }} risk assessment policy that: (a) Addresses purpose, scope, roles, responsi...
View parameters
Param ID Label Constraint / Choices
ra-1_prm_1 organization-defined personnel or roles Organization-defined
ra-01_odp.01 personnel or roles personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;
ra-01_odp.02 personnel or roles personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;
ra-01_odp.03 Select one-or-more: organization-level; mission/business process-level; system-level
ra-01_odp.04 official an official to manage the risk assessment policy and procedures is defined;
ra-01_odp.05 frequency the frequency at which the current risk assessment policy is reviewed and updated is defined;
ra-01_odp.06 events events that would require the current risk assessment policy to be reviewed and updated are defined;
ra-01_odp.07 frequency the frequency at which the current risk assessment procedures are reviewed and updated is defined;
ra-01_odp.08 events events that would require risk assessment procedures to be reviewed and updated are defined;
RA-02
Security Categorization
a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the syste...
RA-02(01)
Impact-level Prioritization
Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.
RA-03
Risk Assessment 5 params
a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, di...
View parameters
Param ID Label Constraint / Choices
ra-03_odp.01 Select one: security and privacy plans; risk assessment report; {{ insert: param, ra-03_odp.02 }}
ra-03_odp.02 document a document in which risk assessment results are to be documented (if not documented in the security and privacy plans...
ra-03_odp.03 frequency the frequency to review risk assessment results is defined;
ra-03_odp.04 personnel or roles personnel or roles to whom risk assessment results are to be disseminated is/are defined;
ra-03_odp.05 frequency the frequency to update the risk assessment is defined;
RA-03(01)
Supply Chain Risk Assessment 2 params
(a) Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and (b) Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are signif...
View parameters
Param ID Label Constraint / Choices
ra-03.01_odp.01 systems, system components, and system services systems, system components, and system services to assess supply chain risks are defined;
ra-03.01_odp.02 frequency the frequency at which to update the supply chain risk assessment is defined;
RA-03(02)
Use of All-source Intelligence
Use all-source intelligence to assist in the analysis of risk.
RA-03(03)
Dynamic Threat Awareness 1 param
Determine the current cyber threat environment on an ongoing basis using {{ insert: param, ra-03.03_odp }}.
View parameters
Param ID Label Constraint / Choices
ra-03.03_odp means means to determine the current cyber threat environment on an ongoing basis;
RA-03(04)
Predictive Cyber Analytics 4 params
Employ the following advanced automation and analytics capabilities to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}: {{ insert: param, ra-3.4_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
ra-3.4_prm_2 organization-defined advanced automation and analytics capabilities Organization-defined
ra-03.04_odp.01 advanced automation capabilities advanced automation capabilities to predict and identify risks are defined;
ra-03.04_odp.02 systems or system components systems or system components where advanced automation and analytics capabilities are to be employed are defined;
ra-03.04_odp.03 advanced analytics capabilities advanced analytics capabilities to predict and identify risks are defined;
RA-04
Risk Assessment Update
RA-05
Vulnerability Monitoring and Scanning 5 params
a. Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and repo...
View parameters
Param ID Label Constraint / Choices
ra-5_prm_1 organization-defined frequency and/or randomly in accordance with organization-defined process Organization-defined
ra-05_odp.01 frequency and/or randomly in accordance with organization-defined process frequency for monitoring systems and hosted applications for vulnerabilities is defined;
ra-05_odp.02 frequency and/or randomly in accordance with organization-defined process frequency for scanning systems and hosted applications for vulnerabilities is defined;
ra-05_odp.03 response times response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are de...
ra-05_odp.04 personnel or roles personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is ...
RA-05(01)
Update Tool Capability
RA-05(02)
Update Vulnerabilities to Be Scanned 2 params
Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}.
View parameters
Param ID Label Constraint / Choices
ra-05.02_odp.01 Select one-or-more: {{ insert: param, ra-05.02_odp.02 }} ; prior to a new scan; when new vulnerabilities are identified and reported
ra-05.02_odp.02 frequency the frequency for updating the system vulnerabilities to be scanned is defined (if selected);
RA-05(03)
Breadth and Depth of Coverage
Define the breadth and depth of vulnerability scanning coverage.
RA-05(04)
Discoverable Information 1 param
Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}.
View parameters
Param ID Label Constraint / Choices
ra-05.04_odp corrective actions corrective actions to be taken if information about the system is discoverable are defined;
RA-05(05)
Privileged Access 2 params
Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.
View parameters
Param ID Label Constraint / Choices
ra-05.05_odp.01 system components system components to which privileged access is authorized for selected vulnerability scanning activities are defined;
ra-05.05_odp.02 vulnerability scanning activities vulnerability scanning activities selected for privileged access authorization to system components are defined;
RA-05(06)
Automated Trend Analyses 1 param
Compare the results of multiple vulnerability scans using {{ insert: param, ra-05.06_odp }}.
View parameters
Param ID Label Constraint / Choices
ra-05.06_odp automated mechanisms automated mechanisms to compare the results of multiple vulnerability scans are defined;
RA-05(07)
Automated Detection and Notification of Unauthorized Components
RA-05(08)
Review Historic Audit Logs 2 params
Review historic audit logs to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within an {{ insert: param, ra-05.08_odp.02 }}.
View parameters
Param ID Label Constraint / Choices
ra-05.08_odp.01 system a system whose historic audit logs are to be reviewed is defined;
ra-05.08_odp.02 time period a time period for a potential previous exploit of a system is defined;
RA-05(09)
Penetration Testing and Analyses
RA-05(10)
Correlate Scanning Information
Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.
RA-05(11)
Public Disclosure Program
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.
RA-06
Technical Surveillance Countermeasures Survey 4 params
Employ a technical surveillance countermeasures survey at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}.
View parameters
Param ID Label Constraint / Choices
ra-06_odp.01 locations locations to employ technical surveillance countermeasure surveys are defined;
ra-06_odp.02 Select one-or-more: {{ insert: param, ra-06_odp.03 }} ; when {{ insert: param, ra-06_odp.04 }}
ra-06_odp.03 frequency the frequency at which to employ technical surveillance countermeasure surveys is defined (if selected);
ra-06_odp.04 events or indicators events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined (if se...
RA-07
Risk Response
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
RA-08
Privacy Impact Assessments
Conduct privacy impact assessments for systems, programs, or other activities before: a. Developing or procuring information technology that processes personally identifiable information; and b...
RA-09
Criticality Analysis 2 params
Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.
View parameters
Param ID Label Constraint / Choices
ra-09_odp.01 systems, system components, or system services systems, system components, or system services to be analyzed for criticality are defined;
ra-09_odp.02 decision points in the system development life cycle decision points in the system development life cycle when a criticality analysis is to be performed are defined;
RA-10
Threat Hunting 1 param
a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade exis...
View parameters
Param ID Label Constraint / Choices
ra-10_odp frequency the frequency at which to employ the threat hunting capability is defined;
ra-10a Establish and maintain a cyber threat hunting capability to:
ra-10a.1 Search for indicators of compromise in organizational systems; and
ra-10a.2 Detect, track, and disrupt threats that evade existing controls; and
ra-10b Employ the threat hunting capability {{ insert: param, ra-10_odp }}.
ra-1a Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:
ra-1a.1 {{ insert: param, ra-01_odp.03 }} risk assessment policy that:
ra-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
ra-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
ra-1a.2 Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;
ra-1b Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and proced...
ra-1c Review and update the current risk assessment:
ra-1c.1 Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and
ra-1c.2 Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}.
ra-2a Categorize the system and information it processes, stores, and transmits;
ra-2b Document the security categorization results, including supporting rationale, in the security plan for the system; and
ra-2c Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
ra-3.1.(a) Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and
ra-3.1.(b) Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or ...
ra-3a Conduct a risk assessment, including:
ra-3a.1 Identifying threats to and vulnerabilities in the system;
ra-3a.2 Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system,...
ra-3a.3 Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
ra-3b Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-leve...
ra-3c Document risk assessment results in {{ insert: param, ra-03_odp.01 }};
ra-3d Review risk assessment results {{ insert: param, ra-03_odp.03 }};
ra-3e Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and
ra-3f Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or ...
ra-5a Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially...
ra-5b Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability managemen...
ra-5b.1 Enumerating platforms, software flaws, and improper configurations;
ra-5b.2 Formatting checklists and test procedures; and
ra-5b.3 Measuring vulnerability impact;
ra-5c Analyze vulnerability scan reports and results from vulnerability monitoring;
ra-5d Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;
ra-5e Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help elimina...
ra-5f Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
ra-8a Developing or procuring information technology that processes personally identifiable information; and
ra-8b Initiating a new collection of personally identifiable information that:
ra-8b.1 Will be processed using information technology; and
ra-8b.2 Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical question...