Navigate

CCI-001037

CCI-001037 Definition

Develop and document an organization-level; mission/business process-level; system-level risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy.

Validation Procedures

Compelling Evidence

Automatically compliant per DoDI 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001037.

Control	Description
RA-1	The organization: a: Develops, documents, and disseminates to [one of ]: 1: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and b: Reviews and updates the current: 1: Risk assessment policy [one of ]; and 2: Risk assessment procedures [one of ].

Control

Description

RA-1

The organization:

a: Develops, documents, and disseminates to [one of ]:
- 1: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- 2: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

b: Reviews and updates the current:
- 1: Risk assessment policy [one of ]; and
- 2: Risk assessment procedures [one of ].