Navigate

CCI-002370

CCI-002370 Definition

Disseminate risk assessment results to organization-defined personnel or roles.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to disseminates risk assessment results to the ISSM, ISSO, AO, and PM. DoD has defined the personnel or roles as the ISSM, ISSO, AO, and PM.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disseminates the risk assessment results to the ISSM, ISSO, AO, and PM. DoD has defined the personnel or roles as the ISSM, ISSO, AO, and PM.

Compelling Evidence

1.) System security plan (SSP). 2.) Reference to system security plan (SSP) section pertaining to vulnerability scanning procedure. Reference section pertaining to a procedure for disseminating relevant information to the ISSM, ISSO, AO, and PM etc.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002370.

Control	Description
RA-3	The organization: a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b: Documents risk assessment results in [one of "security plan"/"risk assessment report"/" {{ insert: param, ra-3_prm_2 }} "]; c: Reviews risk assessment results [one of ]; d: Disseminates risk assessment results to [one of ]; and e: Updates the risk assessment [one of ] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control

Description

RA-3

The organization:

a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

b: Documents risk assessment results in [one of "security plan"/"risk assessment report"/" {{ insert: param, ra-3_prm_2 }} "];

c: Reviews risk assessment results [one of ];

d: Disseminates risk assessment results to [one of ]; and

e: Updates the risk assessment [one of ] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.