RA: Risk Assessment

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and Reviews and updates the current: Risk assessment policy…

The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; Documents the security categorization results (including supporting rationale) in the security plan for the information system; and Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization…

The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; Reviews risk assessment results [Assignment:…

The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using…

The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]].