Navigate

CCI-001048

CCI-001048 Definition

Conduct a risk assessment, including determining the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction. The organization must maintain an audit trail of assessments.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of assessments to ensure the organization being inspected/assessed conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction.

Compelling Evidence

1.) System security plan (SSP). 2.) Reference to system security plan (SSP) section pertaining to Risk Assessment Implementation.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001048.

Control	Description
RA-3	The organization: a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b: Documents risk assessment results in []; c: Reviews risk assessment results [organization-defined frequency]; d: Disseminates risk assessment results to [organization-defined personnel or roles]; and e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control

Description

RA-3

The organization:

a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

b: Documents risk assessment results in [];

c: Reviews risk assessment results [organization-defined frequency];

d: Disseminates risk assessment results to [organization-defined personnel or roles]; and

e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.