Description
The organization conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency (including information and information systems managed/operated by external parties).\n
Supplemental Guidance
Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the resulting level of residual risk posed to organizational operations, organizational assets, or individuals based on the operation of the information system. The organization also considers potential impacts to other organizations and, in accordance with the USA PATRIOT Act and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. The General Services Administration provides tools supporting that portion of the risk assessment dealing with public access to federal information systems. NIST Special Publication 800-30 provides guidance on conducting risk assessments including threat, vulnerability, and impact assessments.\n
Changes from Rev 4
Control text adds privacy and a statement about integrating risk assessment results and risk management decisions with system-level risk assessments Discussion adds information about the need for risk assessments to consider threats, vulnerabilities, likelihood, and impact based on the operation and use of systems, as well as risk from external parties, individuals accessing organizational systems, contractors operating systems on behalf of the organization, service providers, and outsourcing entities Incorporates privacy risk assessment elements of withdrawn App J control AR-2
Enhancements
(0) None.\n