Detections
Analytics
800-53|RA-3
Title
RISK ASSESSMENTDescription
The organization:Supplemental
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.Reference Item Details
Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
Related: PM-9,RA-2
Category: RISK ASSESSMENT
Family: RISK ASSESSMENT
Priority: P1
Baseline Impact: LOW,MODERATE,HIGH
Audit Items
View all Reference Audit Items
| Name | Plugin | Audit Name |
|---|---|---|
| Managing Metrics and Improvement | amazon_aws | Tenable AWS Best Practice Audit |
| Test Security | amazon_aws | Tenable AWS Best Practice Audit |