Risk Assessment (ID.RA)
      Back to home
      1. Help Center
      2. Cybersecurity Framework - Identify
      3. Risk Assessment (ID.RA)

      What is Risk Assessment (ID.RA)?

      The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

      ID.RA-01:

      Vulnerabilities in first-party and third-party assets are identified, validated, and recorded (formerly ID.RA-1 and DE.CM-8) 

      - Example 1: Infrastructure vulnerability scans evaluate internal and Internet-exposed systems.

      - Example #: Infrastructure vulnerability scans evaluate systems from the network (unauthenticated) and within operating systems (authenticated).

      - Example #: Infrastructure is evaluated by penetration testing where sensitive data is present.

      - Example #: Security benchmark dashboards are reviewed monthly (e.g. Microsoft Secure Score and AWS Trusted Advisor).

      - Example 4: All web applications are subjected to source code scanning and software composition analysis.

      - Example #: Applications that store, process or transmit sensitive information are also tested with dynamic application scanning.

      - Example #: Internet-exposed applications that host sensitive data are also subjected to web application penetration testing.

      ID.RA-02:

      Cyber threat intelligence is received from information-sharing forums and sources 

      - Example 1: Cybersecurity professionals receive cyber threat intelligence from reputable sources (e.g. CISA, InfraGard and an Information Sharing and Analysis Center (ISAC)).

      - Example 2: Software is configured to receive updated threat information (e.g. endpoint protection and response, vulnerability scanning tools, etc.).

      - Example 3: Security Information and Event Management (SIEM) software ingests cyber threat intelligence feeds.

      ID.RA-03:

      Threats, both internal and external, are identified and recorded

      - Example 1: An analysis of in-scope threat actors for the organization has been documented.

      - Example 2: The analysis includes a description of their motivations and targeted data.

      - Example 3: Nation states, criminal enterprises, insider threat and hacktivists are considered within the analysis.

      - Example 4: Risk assessments include newly adopted technologies such as Generative AI.

      ID.RA-04:

      Potential business impacts and likelihoods are identified and recorded 

       

      ID.RA-05:

      Threats, vulnerabilities, likelihoods, and impacts are used to determine exposure and inform risk prioritization

      - Example 1: Assessment scope includes key systems and applications that would likely be of risk based on threat actors, their motivations and targeted data.

      - Example 2: The assessment documents technical security weaknesses that could be exploited by identified threat actors, resulting in business impact.

      ID.RA-06:

      Risk responses are chosen, prioritized, planned, tracked, and communicated (formerly ID.RA-6 and RS.MI-3)

      - Example 1: Vulnerabilities are remediated and tracked to closure based on risk priority.

      - Example 2: CISA Known Exploited Vulnerabilities are considered high risk, to be remediated within one week.

      - Example 3: Responses include compensating controls to mitigate risk, aligned with the organization's risk tolerance.

      - Example 4: Plan of Action and Milestones (POA&Ms) are documented based on findings from security control assessments and continuous monitoring activities.

      - Example 5: Risk register entries document extended remediation (risk mitigate) or instances when a vulnerability will be left in place (risk accept).

      ID.RA-07:

      Changes are managed, assessed for risk impact, and recorded (formerly part of PR.IP-3) 

      - Example 1: Change request tickets include fail-back plans. Testing is conducted in a non-production environment.

      - Example 2: Change requests are submitted for approval to a Change Advisory Board (CAB) or similar function.

      - Example 3: Changes are implemented within a maintenance window, with testing to ensure functionality has not been adversely affected.

      - Example 4: Cybersecurity representatives are assigned to the CAB (primary and alternate).

      ID.RA-08:

      Risks associated with technology suppliers and their supplied products and services are identified, recorded, prioritized, and monitored (formerly ID.SC-2 and PR.DS-8) 

      - Example 1: Prospective suppliers and service providers are evaluated through procurement processes.

      - Example 2: IT equipment is purchased though reputable manufacturers and resellers to minimize supply chain risk.

      - Example 3: Commercial services are used to validate the legitimacy and financial solvency of a prospective suppler (e.g. Thomson Reuters and Dun & Bradstreet).

      ID.RA-09:

      Processes for receiving, analyzing, and responding to vulnerability disclosures are established (formerly RS.AN-5) 

      - Example 1: Cyber threat intelligence drives activities such as installing a patch or implementing a security configuration.

      - Example 2: Cybersecurity professionals conduct threat hunts, actively searching for adversaries in the IT environment.

      - Example 3: Threat intelligence and hunting activities are documented in a log or service desk tickets.

      ID.RA-10:

      Exceptions to security measures are reviewed, tracked, and compensated for 

       - Example 1: Low risk exceptions to security policies or standards are documented within a Policy Exception Request Form.

      - Example 2: Exceptions that will eventually meet the requirement are documented in a Plan of Action and Milestone (POA&M).

      - Example 3: Moderate or high risk exceptions are documented within a risk register entry.