Control statement
a. Conduct a risk assessment, including:
1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in {{ insert: param, ra-03_odp.01 }};
d. Review risk assessment results {{ insert: param, ra-03_odp.03 }};
e. Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and
f. Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.
(e) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-AFR-04 | Vulnerability Detection and Response Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations. | Authorization by FedRAMP |