What is Risk Assessment (ID.RA)?

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.


Vulnerabilities in first-party and third-party assets are identified, validated, and recorded (formerly ID.RA-1 and DE.CM-8) 

- Example 1: Infrastructure vulnerability scans evaluate internal and Internet-exposed systems.

- Example #: Infrastructure vulnerability scans evaluate systems from the network (unauthenticated) and within operating systems (authenticated).

- Example #: Infrastructure is evaluated by penetration testing where sensitive data is present.

- Example #: Security benchmark dashboards are reviewed monthly (e.g. Microsoft Secure Score and AWS Trusted Advisor).

- Example 4: All web applications are subjected to source code scanning and software composition analysis.

- Example #: Applications that store, process or transmit sensitive information are also tested with dynamic application scanning.

- Example #: Internet-exposed applications that host sensitive data are also subjected to web application penetration testing.


Cyber threat intelligence is received from information-sharing forums and sources 

- Example 1: Cybersecurity professionals receive cyber threat intelligence from reputable sources (e.g. CISA, InfraGard and an Information Sharing and Analysis Center (ISAC)).

- Example 2: Software is configured to receive updated threat information (e.g. endpoint protection and response, vulnerability scanning tools, etc.).

- Example 3: Security Information and Event Management (SIEM) software ingests cyber threat intelligence feeds.


Threats, both internal and external, are identified and recorded

- Example 1: An analysis of in-scope threat actors for the organization has been documented.

- Example 2: The analysis includes a description of their motivations and targeted data.

- Example 3: Nation states, criminal enterprises, insider threat and hacktivists are considered within the analysis.

- Example 4: Risk assessments include newly adopted technologies such as Generative AI.


Potential business impacts and likelihoods are identified and recorded 



Threats, vulnerabilities, likelihoods, and impacts are used to determine exposure and inform risk prioritization

- Example 1: Assessment scope includes key systems and applications that would likely be of risk based on threat actors, their motivations and targeted data.

- Example 2: The assessment documents technical security weaknesses that could be exploited by identified threat actors, resulting in business impact.


Risk responses are chosen, prioritized, planned, tracked, and communicated (formerly ID.RA-6 and RS.MI-3)

- Example 1: Vulnerabilities are remediated and tracked to closure based on risk priority.

- Example 2: CISA Known Exploited Vulnerabilities are considered high risk, to be remediated within one week.

- Example 3: Responses include compensating controls to mitigate risk, aligned with the organization's risk tolerance.

- Example 4: Plan of Action and Milestones (POA&Ms) are documented based on findings from security control assessments and continuous monitoring activities.

- Example 5: Risk register entries document extended remediation (risk mitigate) or instances when a vulnerability will be left in place (risk accept).


Changes are managed, assessed for risk impact, and recorded (formerly part of PR.IP-3) 

- Example 1: Change request tickets include fail-back plans. Testing is conducted in a non-production environment.

- Example 2: Change requests are submitted for approval to a Change Advisory Board (CAB) or similar function.

- Example 3: Changes are implemented within a maintenance window, with testing to ensure functionality has not been adversely affected.

- Example 4: Cybersecurity representatives are assigned to the CAB (primary and alternate).


Risks associated with technology suppliers and their supplied products and services are identified, recorded, prioritized, and monitored (formerly ID.SC-2 and PR.DS-8) 

- Example 1: Prospective suppliers and service providers are evaluated through procurement processes.

- Example 2: IT equipment is purchased though reputable manufacturers and resellers to minimize supply chain risk.

- Example 3: Commercial services are used to validate the legitimacy and financial solvency of a prospective suppler (e.g. Thomson Reuters and Dun & Bradstreet).


Processes for receiving, analyzing, and responding to vulnerability disclosures are established (formerly RS.AN-5) 

- Example 1: Cyber threat intelligence drives activities such as installing a patch or implementing a security configuration.

- Example 2: Cybersecurity professionals conduct threat hunts, actively searching for adversaries in the IT environment.

- Example 3: Threat intelligence and hunting activities are documented in a log or service desk tickets.


Exceptions to security measures are reviewed, tracked, and compensated for 

 - Example 1: Low risk exceptions to security policies or standards are documented within a Policy Exception Request Form.

- Example 2: Exceptions that will eventually meet the requirement are documented in a Plan of Action and Milestone (POA&M).

- Example 3: Moderate or high risk exceptions are documented within a risk register entry.