Navigate

CCI-001053

CCI-001053 Definition

Defines a frequency for updating the risk assessment.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoD has defined the frequency as upon re-accreditation.

Validation Procedures

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as upon re-accreditation.

Compelling Evidence

Automatically compliant.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001053.

Control	Description
RA-3	The organization: a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b: Documents risk assessment results in []; c: Reviews risk assessment results [organization-defined frequency]; d: Disseminates risk assessment results to [organization-defined personnel or roles]; and e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control

Description

RA-3

The organization:

a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

b: Documents risk assessment results in [];

c: Reviews risk assessment results [organization-defined frequency];

d: Disseminates risk assessment results to [organization-defined personnel or roles]; and

e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.