RA-3 Risk Assessment (L) (M) (H)

NIST 800-53 (r4) Control:

The organization:

a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

b. Documents risk assessment results in [Selection: security plan; risk assessment report; [FedRAMP Assignment: (L)(M)(H) security assessment report]];

c. Reviews risk assessment results [FedRAMP Assignment: (L)(M) at least every three (3) years or when a significant change occurs; (H) at least annually or whenever a significant change occurs];

d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and

e. Updates the risk assessment [FedRAMP Assignment: (L)(M) at least every three (3) years or when a significant change occurs; (H) annually] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

RA-3 Additional FedRAMP Requirements and Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.

RA-3 (d) Additional FedRAMP Requirements and Guidance: Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

NIST 800-53 (r4) Supplemental Guidance:

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing

entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.

Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information

system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the

first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.

References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov.

NIST 800-53 (r5) Discussion:

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

38North Guidance:

Meets Minimum Requirement:

• Conduct risks assessments and document them in either the security plan, risk assessment report, or organization-defined documentation.

• Risk assessments have a security assessment plan (SAP) that is agreed upon, and signed by, both the 3PAO and CSP.

• Risk assessment results need to be documented in a security assessment report (SAR).

• Risk assessment results need to be disseminated to all Authorizing Officials.

• Update risk assessment after review which is required to be conducted every 3 years or when a significant change occurs.

Best Practice:

• Conduct risk assessments yearly or when a significant change occurs within the environment.

• Ensure that all controls are tested every 3 years after initial assessment is conducted, with a 3rd of the controls tested annually. Core controls are tested annually.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

• Prior risk assessment results.

• Screen shot evidence that risk assessment reports are disseminated to the authorized individuals.

• SAP by 3PAO demonstrating controls tested in prior assessment.

• SAP by 3PAO demonstrating controls tested in current assessment.

CSP Implementation Tips:

• Amazon Web Services (AWS): TBD

• Microsoft Azure: TBD

• Google Cloud Platform: TBD