RA-3: Risk Assessment

Control Family:

Risk Assessment


  • Low
  • Moderate
  • High
  • Privacy
    • RA-3

Previous Version:

Control Statement

  1. Conduct a risk assessment, including:
    1. Identifying threats to and vulnerabilities in the system;
    2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
    3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
  2. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
  3. Document risk assessment results in [Assignment: security and privacy plans, risk assessment report, [Assignment: organization-defined document] ];
  4. Review risk assessment results [Assignment: organization-defined frequency];
  5. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
  6. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Supplemental Guidance

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

Control Enhancements

RA-3(1): Supply Chain Risk Assessment


  • Low
  • Moderate
  • High

Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

RA-3(3): Dynamic Threat Awareness


(Not part of any baseline)

Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means].

RA-3(4): Predictive Cyber Analytics


(Not part of any baseline)

Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].