Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/RA/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/RA-1

Determine if: (i) the organization develops and formally documents risk assessment policy; (ii) the organization risk assessment policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented risk assessment policy to elements within the organization having associated risk assessment roles and responsibilities; (iv) the organization develops and formally documents risk assessment procedures; (v) the organization risk assessment procedures facilitate implementation of the risk assessment policy and associated risk assessment controls; and (vi) the organization disseminates formal documented risk assessment procedures to elements within the organization having associated risk assessment roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities].

Determine if: (i) the organization defines the frequency of risk assessment policy reviews/updates; (ii) the organization reviews/updates risk assessment policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of risk assessment procedure reviews/updates; (iv) the organization reviews/updates risk assessment procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/RA-2

Determine if: (i) the organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; (ii) the organization documents the security categorization results (including supporting rationale) in the security plan for the information system; and (iii) the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy; procedures addressing security categorization of organizational information and information systems; security planning policy and procedures; security plan; security categorization documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security categorization and risk assessment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/RA-3

Determine if: (i) the organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm, from the unauthorized: access; use; disclosure; disruption; modification; or destruction; (ii) the organization defines the document in which risk assessment results are documented, selecting from the security plan, risk assessment report, or other organization-defined document; (iii) the organization documents risk assessment results in the organization-defined document; (iv) the organization defines the frequency for review of the risk assessment results; (v) the organization reviews risk assessment results in accordance with the organization-defined frequency; (vi) the organization defines the frequency that risk assessments are updated; and (vii) the organization updates the risk assessment in accordance with the organization-defined frequency or whenever there are significant changes to the information system or environment of operation, or other conditions that may impact the security state of the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; security plan; risk assessment; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/RA-5

Determine if: (i) the organization defines: the frequency for conducting vulnerability scans on the information system and hosted applications and/or; the organization-defined process for conducting random vulnerability scans on the information system and hosted applications; (ii) the organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined frequency and/or the organization-defined process for random scans; (iii) the organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported; (iv) the organization employs vulnerability scanning tools and techniques that use standards to promote interoperability among tools and automate parts of the vulnerability management process that focus on: enumerating platforms, software flaws, and improper configurations; formatting/and making transparent checklists and test procedures; and measuring vulnerability impact, and (v) the organization analyzes vulnerability scan reports and results from security control assessments.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with risk assessment and vulnerability scanning responsibilities].

Determine if: (i) the organization defines the response times for remediating legitimate vulnerabilities in accordance with an organizational assessment of risk; (ii) the organization remediates legitimate vulnerabilities in accordance with organization-defined response times; and (iii) the organization shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with risk assessment and vulnerability scanning responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/RA-5/1

Determine if the organization uses vulnerability scanning tools that have the capability to readily update the list of information system vulnerabilities scanned.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; vulnerability scanning tools and techniques documentation; records of updates to vulnerabilities scanned; other relevant documents or records].

Test: [SELECT FROM: Vulnerability scanning capability and associated scanning tools].