Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ra-3 |
risk assessment |
|||
|
assessment objective: Determine if the organization: |
|||
ra-3(a) |
conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of: |
|||
ra-3(a)[1] |
the information system; |
|||
ra-3(a)[2] |
the information the system processes, stores, or transmits; |
|||
ra-3(b) |
ra-3(b)[1] |
defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report); |
||
ra-3(b)[2] |
documents risk assessment results in one of the following: |
|||
ra-3(b)[2][a] |
the security plan; |
|||
ra-3(b)[2][b] |
the risk assessment report; or |
|||
ra-3(b)[2][c] |
the organization-defined document; |
|||
ra-3(c) |
ra-3(c)[1] |
defines the frequency to review risk assessment results; |
||
ra-3(c)[2] |
reviews risk assessment results with the organization-defined frequency; |
|||
ra-3(d) |
ra-3(d)[1] |
defines personnel or roles to whom risk assessment results are to be disseminated; |
||
ra-3(d)[2] |
disseminates risk assessment results to organization-defined personnel or roles; |
|||
ra-3(e) |
ra-3(e)[1] |
defines the frequency to update the risk assessment; |
||
ra-3(e)[2] |
updates the risk assessment: |
|||
ra-3(e)[2][a] |
with the organization-defined frequency; |
|||
ra-3(e)[2][b] |
whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and |
|||
ra-3(e)[2][c] |
whenever there are other conditions that may impact the security state of the system. |
|||
potential assessment methods and objects: Examine: [select from: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; other relevant documents or records]. Interview: [select from: Organizational personnel with risk assessment responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment]. |
||||
