Level 5 CMMC - CMMC Practices

RM.3.144  

Reference: CMMC 1.02

Family: RM

Level Introduced: 3

Practice:
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

CMMC Clarification:
This level 3 practice extends the related level 2 practice (RM.2.141) by requiring that defined risk categories, identified sources of risk, and specific risk measurement criteria be included in the risk assessment. Risk assessments are performed periodically to identify potential risks to the organization, or after an incident to mitigate recurrence of that risk. A risk assessment identifies risks to an organization's functions and the supporting assets: people, technology, information, and facilities. Threat information, vulnerabilities, likelihoods, and impacts are used to identify risk. Evaluate and prioritize the identified risks based on the defined risk criteria: risk sources, risk categories, and risk measurement criteria.

It is important to note that risk assessments differ from vulnerability scanning. A vulnerability scan focuses primarily on technical vulnerabilities in a system, and provides input to a risk assessment. A risk assessment may not be a strictly technical assessment. It includes such qualitative data as results from likelihood analysis and potential threat descriptions. Refer to RM.2.142 for vulnerability scanning.

Example
The CIO has asked you to perform a risk assessment for the organization’s IT assets. You assemble the leads from each major area across the IT organization. One of the first tasks the team performs is to define risk in terms of severity and impact to the organization. The team identifies organizational functions and the IT assets required to support them. This information is confirmed by executive input. You then lead the team through an exercise that defines the threats (e.g., APT, hacker, criminal) and attacker tools, techniques, and procedures (e.g., ransomware, defaced website) that the organization may face. The team uses publicly available information and previous internal IT assessments to create the organization’s threat list. The threats and an analysis of susceptibility are analyzed to determine the likelihood of occurring. The team ranks the impacts and prepares a report for the CIO. As a result of the report the CIO directs you to improve the security for the public facing web servers hosting a sponsor-used application. Additional tasks to mitigate risks are added to a prioritized action list to be worked by the IT organization.

RA-3

RISK ASSESSMENT

Description:
The organization:
    a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
    b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
    c. Reviews risk assessment results [Assignment: organization-defined frequency];
    d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
    e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Supplemental Guidance:
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02