Risk Assessment (RA)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] risk assessment policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and
• c. Review and update the current risk assessment:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Categorize the system and information it processes, stores, and transmits;
• b. Document the security categorization results, including supporting rationale, in the security plan for the system; and
• c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Conduct a risk assessment, including:
  • 1. Identifying threats to and vulnerabilities in the system;
  • 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
  • 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
• b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
• c. Document risk assessment results in [Selection: one of: security and privacy plans; risk assessment report];
• d. Review risk assessment results [Assignment: organization-defined frequency];
• e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
• f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and
• (b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use all-source intelligence to assist in the analysis of risk.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
• b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
  • 1. Enumerating platforms, software flaws, and improper configurations;
  • 2. Formatting checklists and test procedures; and
  • 3. Measuring vulnerability impact;
• c. Analyze vulnerability scan reports and results from vulnerability monitoring;
• d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
• e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
• f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

External Link for Additional Information: myctrl.tools

Update the system vulnerabilities to be scanned [Selection: one or more of: prior to a new scan; when new vulnerabilities are identified and reported].

External Link for Additional Information: myctrl.tools

Define the breadth and depth of vulnerability scanning coverage.

External Link for Additional Information: myctrl.tools

Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].

External Link for Additional Information: myctrl.tools

Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities].

External Link for Additional Information: myctrl.tools

Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].

External Link for Additional Information: myctrl.tools

Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

External Link for Additional Information: myctrl.tools

Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection: one or more of: when].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

External Link for Additional Information: myctrl.tools

Conduct privacy impact assessments for systems, programs, or other activities before:

• a. Developing or procuring information technology that processes personally identifiable information; and
• b. Initiating a new collection of personally identifiable information that:
  • 1. Will be processed using information technology; and
  • 2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish and maintain a cyber threat hunting capability to:
  • 1. Search for indicators of compromise in organizational systems; and
  • 2. Detect, track, and disrupt threats that evade existing controls; and
• b. Employ the threat hunting capability [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools