Skip to content

RA-3: Risk Assessment

An OSCAL Control

Statement

    • a.

      Conduct a risk assessment, including:

      • 1.

        Identifying threats to and vulnerabilities in the system;

      • 2.

        Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

      • 3.

        Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

    • b.

      Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

    • c.

      Document risk assessment results in ;

    • d.

      Review risk assessment results ;

    • e.

      Disseminate risk assessment results to ; and

    • f.

      Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.