home || catalog: SP800-53rev3 / class: Management / family: (RA) Risk Assessment ||
search controls:
search nistpubs:


RA-03 *


  RA-03: Risk Assessment  

base control objective:
The organization:
a. Conducts assessments of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization;
b. Reviews risk assessment results [Assignment: organization-defined frequency]; and
c. Updates risk assessments [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

supplemental objective information:
Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the level of residual risk posed to organizational operations and assets, individuals, other organizations, and the Nation based on the operation of the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. The General Services Administration provides tools supporting that portion of the risk assessment dealing with public access to federal information systems.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:


documents referenced in SP800-53rev3 for RA-03:

Document Date Status Title
NIST SP800-115 September, 2008 current   Technical Guide to Information Security Testing and Assessment
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-121 June, 2012 current   Guide to Bluetooth Security
NIST SP800-13 October, 1995 current   Telecommunications Security Guidelines for Telecommunications Management Network
NIST SP800-14 September, 1996 current   Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST SP800-19 October, 1999 current   Mobile Agent Security
NIST SP800-23 August, 2000 current   Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
NIST SP800-25 October, 2000 current   Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
NIST SP800-28 October, 2001 current   Guidelines on Active Content and Mobile Code
NIST SP800-30 July 2002 groan...   Risk Management Guide for Information Technology Systems
NIST SP800-32 February, 2001 current   Introduction to Public Key Technology and the Federal PKI Infrastructure
NIST SP800-34 May, 2010 current   Contingency Planning Guide for Information Technology Systems
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-39 December, 2010 DRAFT   Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-46 June, 2009 current   Guide to Enterprise Telework and Remote Access Security
NIST SP800-48 July, 2008 current   Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
NIST SP800-54 September, 2006 DRAFT   Border Gateway Protocol Security
NIST SP800-55 July, 2008 current   Security Metrics Guide for Information Technology Systems
NIST SP800-60v1 August, 2008 current   Volume 1, Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP800-60v2 August, 2008 current   Volume 2,Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP800-63 April, 2006 current   Electronic Authentication Guideline
NIST SP800-65 January, 2005 current   Integrating IT Security into the Capital Planning and Investment Control Process
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-82 June, 2011 current   Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
NIST SP800-98 September, 2006 DRAFT   Guidelines for Securing Radio Frequency Identification (RFID) Systems

Search SP800-53rev3 catalog: