Add to collection(s) Add to saved
  1. Business
  2. Management

DoD Risk Assessment Guide 4_30_14 Final

advertisement 
Department of Defense (DoD) Cybersecurity Risk
Assessment Guide
April 22, 2014
Table of Contents
PURPOSE: .................................................................................................................................................... 1
SCOPE AND APPLICABILITY: ................................................................................................................. 1
BACKGROUND: ......................................................................................................................................... 1
INTRODUCTION: ....................................................................................................................................... 2
RISK ASSESSMENT PROCESS: ............................................................................................................... 5
STEP 1: PREPARE FOR ASSESSMENT .............................................................................................. 6
TASK 1-1: Identify Purpose: ................................................................................................................ 6
TASK 1-2: Identify Scope: ................................................................................................................... 6
TASK 1-3: Identify Assumptions and Constraints: .............................................................................. 7
TASK 1-4: Identify Information Sources: ............................................................................................ 7
TASK 1-5: Identify Risk Model and Analytic Approach: .................................................................... 8
STEP 2: CONDUCT RISK ASSESSMENT ........................................................................................... 9
TASK 2-1: Identify Threat Sources ................................................................................................... 11
TASK 2-2: Identify Threat Events ..................................................................................................... 13
TASK 2-3: Identify Vulnerabilities and Predisposing Conditions..................................................... 14
TASK 2-4: Determine Likelihood ..................................................................................................... 15
TASK 2-5: Determine Impact ............................................................................................................ 17
TASK 2-6: Determine Risk................................................................................................................ 18
STEP 3: COMMUNICATE AND SHARE RISK ASSESSMENT RESULTS .................................... 19
TASK 3-1: Communicate Risk Assessment Results ......................................................................... 19
TASK 3-2: Share Risk-related Information ....................................................................................... 20
STEP 4: MAINTAIN THE ASSESSMENT .......................................................................................... 20
TASK 4-1: Monitor Risk Factors....................................................................................................... 20
TASK 4-2: Update Risk Assessment ................................................................................................. 20
Table of Figures
Figure 1: Risk Assessment within the Risk Management Process................................................................ 2
Figure 2: Generic Risk Model with Key Risk Factors .................................................................................. 5
Figure 3: Risk Assessment Process ............................................................................................................... 6
DoD Risk Assessment Guide April 2014
i
Table 2-1: Template – Adversarial and Non-adversarial Risk.................................................................... 10
Table 2-2: Column Descriptions for Adversarial and Non-adversarial Risk Table .................................... 11
Table 2-3: Assessment Scale – Characteristics of Adversary Capability ................................................... 12
Table 2-4: Assessment Scale – Characteristics of Adversary Intent........................................................... 12
Table 2-5: Assessment Scale – Characteristics of Adversary Targeting .................................................... 12
Table 2-6: Assessment Scale – Range of Effects for Non-adversarial Threat Sources .............................. 13
Table 2-7: Relevance of Threat Events ....................................................................................................... 14
Table 2-8: Assessment Scale – Vulnerability Severity ............................................................................... 15
Table 2-9: Assessment Scale – Pervasiveness of Predisposing Conditions ................................................ 15
Table 2-10: Likelihood of Threat Event Initiation (Adversarial) or Occurrence (Non-Adversarial).......... 16
Table 2-11: Likelihood of Threat Event Resulting in Adverse Impacts ..................................................... 17
Table 2-12: Overall Likelihood .................................................................................................................. 17
Table 2-13: Impact of Threat Events .......................................................................................................... 18
Table 2-14: Level of Risk (Combination of Likelihood and Impact) ......................................................... 18
Table 2-15: Risk Level Descriptions .......................................................................................................... 19
DoD Risk Assessment Guide April 2014
ii
PURPOSE: Provide a framework, methodology, and process for conducting risk assessments
within the Department of Defense (DoD), aligned with NIST SP 800-30, Guide for Conducting
Risk Assessments. NOTE: This guide summarizes and often cites specific content in NIST SP
800-30. In particular, the risk factors and definitions used herein are taken directly from NIST
SP 800-30. As practitioners require more information or desire to build more expertise, they
should reference NIST SP 800-30.
SCOPE AND APPLICABILITY: As discussed in DoDI 8500.01, Cybersecurity, risk
assessment is a key step in the organizational risk management process. Risk assessments will
be performed in accordance with the process in NIST SP 800-30 and as described on the
Knowledge Service (KS) (i.e., recommending preferred risk assessment approaches and analysis
approaches). In particular, all of the risk factors described in NIST SP 800-30 must be used
across components and agencies of the DoD to ensure reciprocity and ease of sharing risk
information. The robustness of the risk assessments may be tailored to accommodate resource
constraints and the availability of detailed risk factor information (e.g., threat data); however,
any tailoring must be clearly explained in risk assessment reports to ensure AOs understand to
what degree they can rely on the results of the risk assessments.1
DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT),
requires DoD Components to use the model consistent with NIST SP 800-30 (i.e., the model
provided in this guide), or justify the use of another risk assessment methodology within the
Component, to include addressing understanding of the impact on reciprocity across the federal,
Intelligence, and DoD communities. The risk assessment will be used by the Security Controls
Assessor (SCA) to determine the level of overall system cybersecurity risk and as a basis for a
recommendation for risk acceptance or denial to the Authorizing Official (AO).2
This guide can be used to perform risk assessments throughout an information system’s or a
platform information technology (PIT) system’s life cycle (as applied at Tier 3) within the risk
management process defined in NIST SP 800-39, Managing Information Security Risk Organization, Mission, and Information System View. For example, risk assessments are
necessary to accurately categorize systems in order to select and tailor the appropriate set of
security controls in accordance with DoDI 8510.01and Committee on National Security Systems
Instruction (CNSSI) 1253 Version 2, Security Categorization and Control Selection for National
Security Systems. Risk assessments are also necessary to determine the system’s overall residual
risk due to non-compliant security controls or unmitigated predisposing conditions identified
during security controls assessments. Risk assessments are also necessary to determine the effect
on risk due to changes to systems, their environment, or their use following authorization to
operate the system, as part of continuous monitoring efforts. This document serves as an
introduction to the general concepts of risk assessments, and it is augmented by the risk
assessment guidance found on the RMF KS.
BACKGROUND: The Joint Task Force Transformation Initiative (JTF) aligned the DoD and
the Intelligence Community’s policies, processes, and lexicon with the guidance in the National
1
2
Source: DoDI 8500.01, Enclosure 3, paragraph 2.f.
Source: DoDI 8510.01, Enclosure 6, paragraph 2.d.(1)
DoD Risk Assessment Guide April 2014
1
Institute of Standards and Technology (NIST) Special Publications (SP) 800-series. The DoD
adopted concepts embodied in NIST SP 800-39, Managing Information Security Risk Organization, Mission, and Information System View, NIST SP 800-30, Guide for Conducting
Risk Assessments, NIST SP 800-37, Guide for Applying the Risk Management Framework to
Federal Information Systems, NIST SP 800-53, Security and Privacy Controls for Federal
Information Systems and Organizations, and NIST SP 800-53A, Guide for Assessing the Security
Controls in Federal Information Systems - Building Effective Security Assessment Plans. This
guide holds closely to the risk factors and their definitions in NIST SP 800-30.
As can be discerned from the definition of risk below, risk must be expressed in terms of
likelihood and impact. More specifically, risk is expressed as the likelihood and impact of a
threat event initiated or caused by a threat source against a vulnerability or predisposing
condition. A non-compliant security control is a type of vulnerability, but simply being noncompliant means little (there is no context), and the fact of non-compliance does not indicate
what the risk is. A risk assessment is required to embrace true risk management instead of
treating security control assessment as a compliance activity.
INTRODUCTION: Risk assessment is a key component of a holistic, organization-wide risk
management process defined in NIST Special Publication 800-39. As depicted in Figure 1, the
risk management process includes: (i) framing risk; (ii) assessing risk; (iii) responding to risk;
and (iv) monitoring risk. This guide focuses on assessing risk, such that the Authorizing Official
(AO) may respond to risk. Risk monitoring activities must follow the system’s authorization to
operate and will prompt the AO to respond accordingly throughout the system’s life cycle.
Figure 1: Risk Assessment within the Risk Management Process3
3
Source: NIST SP 800-30.
DoD Risk Assessment Guide April 2014
2
Generically speaking, risk is a measure of the extent to which an entity (e.g., a person, building,
vehicle, aircraft, or information system) is threatened by a potential circumstance or event, and is
typically a function of: (i) adverse impacts that would arise if the circumstance or event occurs;
and (ii) likelihood of occurrence. More specifically, cybersecurity risks are risks that arise from
the loss of confidentiality, integrity, or availability of information or information/PIT systems
and reflect potential adverse impacts to organizational operations (i.e., mission, functions, image,
or reputation), organizational assets, individuals, other organizations, and the Nation. Note the
focus of impact is on impact to operations, not impact to the information/PIT system itself. Risk
must be expressed in operational terms.
Risk assessment is the process of identifying, estimating, and prioritizing information security
risks. Assessing risk requires the careful analysis of threat and vulnerability information to
determine the extent to which circumstances or events could adversely impact an organization
and the likelihood that such circumstances or events will occur. A risk model identifies risk
factors. The risk factors of concern in this guide are threat sources, threat events, likelihood,
vulnerabilities and predisposing conditions, and impact.
A threat is any circumstance or event with the potential to adversely impact organizational
operations and assets, individuals, other organizations, or the Nation through an information or
PIT system via unauthorized access, destruction, disclosure, or modification of information,
and/or denial of service.
A threat event4 is an event or situation with the potential for causing undesirable consequences
or impact. Threat events are caused by threat sources (adversarial or non-adversarial).
A threat source5 is characterized as: (i) the adversarial intent and method targeted at the
exploitation of a vulnerability; or (ii) a non-adversarial situation and method that may
accidentally exploit a vulnerability. Adversarial threat sources have the characteristics of
capability, intent, and targeting.6 Non-adversarial threat sources (e.g., accidental, structural, or
environmental) have the characteristic of range of effects.7
A vulnerability is a weakness in an information/PIT system, system security procedures, internal
controls, or implementation that could be exploited by a threat source. Vulnerabilities have the
characteristic of severity.8 Most information/PIT system vulnerabilities can be associated with
security controls that either have not been applied (either intentionally or unintentionally), or
have been applied, but retain some weakness. However, vulnerabilities are not identified only in
information/PIT systems but may be identified in the operational environment or in the
management of the policy, processes, and procedures of the entire cybersecurity program.
4
Threat events can be specified as: (i) single events, actions, or circumstances; or (ii) sets and/or sequences of related actions, activities, and/or
circumstances.
5
A taxonomy of threat sources (adversarial, accidental, structural, and environmental) is provided in NIST SP 800-30, Appendix D, Table D-2.
6
Assessment scales for adversary characteristics of capability intent, and targeting are provided in NIST SP 800-30, Appendix D, Tables D-3, D4, and D-5 respectively.
7
An assessment scale for range of effects for non-adversarial threat sources is provided in NIST SP 800-30, Appendix D, Table D6.
8
The severity of a vulnerability is an assessment of the relative importance of mitigating/remediating the vulnerability. The severity can be
determined by the extent of the potential adverse impact if such a vulnerability is exploited by a threat source. Thus, the severity of
vulnerabilities, in general, is context-dependent.
DoD Risk Assessment Guide April 2014
3
A predisposing condition is a condition existing within an organization, a mission or business
process, enterprise architecture, information system/PIT, or environment of operation, which
affects (i.e., increases or decreases) the likelihood that threat events, once initiated, result in
adverse impacts.9 Predisposing conditions have the characteristic of pervasiveness.
The likelihood of occurrence is a weighted risk factor based on an analysis of the probability a
given threat is capable of exploiting a given vulnerability (or set of vulnerabilities). Likelihood
combines an estimate of the likelihood the threat event will be initiated with an estimate of the
likelihood of impact (i.e., likelihood the threat event results in adverse impacts). For adversarial
threats, an assessment of likelihood of occurrence is typically based on: (i) adversary intent; (ii)
adversary capability; and (iii) adversary targeting. For non-adversarial threat events, the
likelihood of occurrence is estimated using historical evidence, empirical data, or other factors.
The level of impact from a threat event is the magnitude of harm expected to result from
consequences of unauthorized disclosure, modification, or destruction of information, or the loss
of information or information/PIT system availability.
Figure 2 illustrates the risk model including risk factors discussed above and relationships among
risk factors. The degree to which a risk factor is used in the risk assessment process depends on
the availability and detail of information related to that risk factor. For example, detailed threat
source or threat event data may not be available, so risk assessors make some assumptions. The
DoD’s RMF KS identifies threats and vulnerabilities associated with each control, and they are
assumed to be ever present for typical information/PIT systems connected to the DoD
Information Network (DoDIN) (formerly known as the Global Information Grid (GIG)). The
RMF KS content makes assumptions, and all assumptions made about any risk factor must be
clearly stated in a risk assessment report. If, for example, the threat source’s capability, intent,
and targeting are not known or are assumed, summarized, or collapsed to any extent, clearly state
in the risk assessment report all assumptions made and for what reason or the means for
summarizing or collapsing information.
9
Predisposing conditions include, for example, the location of a facility in a hurricane- or flood-prone region (increasing the likelihood of
exposure to hurricanes or floods) or a stand-alone information system with no external network connectivity (decreasing the likelihood of
exposure to a network-based cyber attack).
DoD Risk Assessment Guide April 2014
4
Figure 2: Generic Risk Model with Key Risk Factors10
Risk assessments (formal or informal) are conducted at various steps in the RMF, including:
 Information/PIT system categorization
 Security control selection
 Security control implementation
 Security control assessment
 Information/PIT system authorization
 Security control monitoring
The risk model and analytic approach (discussed below) will vary based on the purpose of the
risk assessment at the various points in the RMF and, therefore, affect if or how results from
initial risk assessments may be reused or updated in follow-on risk assessment. The resulting
risk rating is conveyed to the AO, who must respond in some manner (e.g., approve the Security
Plan, authorize the system to operate, direct corrective actions to mitigate risk to an acceptable
level) consistent with the organizational risk frame.
RISK ASSESSMENT PROCESS: The DoD risk assessment process is adapted from NIST
SP 800-30. While NIST process steps/tasks, lexicon, and risk factors must be followed (to
ensure reciprocity across Federal, DoD, and Intelligence communities), the level of rigor is
adjustable within each step/task. This flexibility is necessary, because the information, expertise,
and resources required to perform each step/task may not always be readily available, or the level
of rigor may not prove cost effective (i.e., the cost of compliance may be higher than the cost of
failure). However, in communicating the results of any risk assessment, the level of rigor must
be explicitly identified per step/task. For example, the detailed threat assessments were not
performed, as no current or relevant threat data and analysis capability was available; therefore,
generic threat information was gathered from the RMF KS implementation guidance and
validation procedures and mapped to non-compliant security controls.
10
The source is NIST SP 800-30.
DoD Risk Assessment Guide April 2014
5
The risk assessment process is composed of four steps: (i) prepare for the assessment; (ii)
conduct the assessment; (iii) communicate assessment results; and (iv) maintain the assessment.
Figure 3: Risk Assessment Process11
STEP 1: PREPARE FOR ASSESSMENT
Preparing for a risk assessment includes: (i) identify purpose; (ii) identify scope, (iii) identify
assumptions and constraints; (iv) identify information sources; (v) identify risk model and
analytical approach.
TASK 1-1: Identify Purpose: The purpose may vary, but most practitioners using this guide
will assess and communicate information/PIT system risk to the AO following a security
controls assessment, so the AO can respond to risk; that is, make an authorization decision or
direct corrective actions. However, as discussed above, a risk assessment may also drive the
categorization of a system, and more importantly, the risk assessment is used to determine
the need to implement individual security controls (i.e., tailoring of controls based on the
absence or presence of threats that can exploit vulnerabilities). Also, risk assessments are
used to help choose between potential options for implementing the selected security controls
– each option is more or less effective in mitigating the identified risk. And finally, risk
assessments are performed on a continuing basis to determine the impact of changing threats
and vulnerabilities over time, following system authorization. Depending on the purpose of
the risk assessment, which drives the risk model and analytic approach discussed below,
prior risk assessments may or may not be leveraged or updated in later risk assessments. The
model, approach, and level of rigor can be very diverse.
TASK 1-2: Identify Scope: The scope addressed in this guide is focused on Tier 3,
Information/PIT Systems, but within the context of the Tier 2 architecture and
mission/business processes and Tier 1 organizational framework. Risk assessments may also
11
Source: NIST SP 800-30.
DoD Risk Assessment Guide April 2014
6
be performed at Tiers 1 and 2 from a broader context to determine risk at an organizational
level and guide the implementation of cybersecurity solutions across enterprise networks,
which often provide services to systems residing at Tier 3. Regardless of the scope of the
cybersecurity risk assessment, assessors must consider the broader context risk assessment
and management processes (e.g., acquisition program risk, Operational Risk Management,
community risk12), as cybersecurity risk is but one factor that weighs into those broader
decisions.
TASK 1-3: Identify Assumptions and Constraints: Examples of assumptions and
constraints include:
o Risk assessors may not have the resources to go beyond identifying the typical threats
and vulnerabilities for typical systems connected to the DoDIN as conveyed in the
RMF KS implementation guidance
o There are limited information system security engineering (ISSE) and assessor skills
available to design, build, and thoroughly assess all systems
o There are limited resources to correct all weaknesses identified
o AOs must balance mission capability with risks of operating information/PIT systems
o Some aspects of initial and follow-on assessments are performed manually in a
dynamic cyber environment
o Automated monitoring and reporting is at best difficult in a heterogeneous
architecture
TASK 1-4: Identify Information Sources: Information sources to consider in the risk
assessment include the following:
o DoD Component Computer Emergency Response Team (CERT) for current threat
and vulnerability data
o United States Computer Emergency Readiness Team (US-CERT) for threat and
vulnerability data through its National Cyber Awareness System (NCAS)
o National Air and Space Intelligence Center (NASIC) for current foreign air and space
threat data
o Defense Intelligence Agency (DIA) Information Operations (IO) Capstone Threat
Document13 for cyber and space threats
o Common Vulnerabilities and Exposures (CVE) (www.cve.mitre.org) for current
vulnerability data
o CWE/SANS TOP 25 Most Dangerous Software Errors (www.sans.org)
o Common Attack Pattern Enumeration and Classification (CAPEC)14
o System Security Plan (SSP)
o Purpose of the system in relation to the mission (e.g., does the system support or
interconnect with other systems or support other missions?)
o Who are considered valid users (e.g. internal/external, foreign nationals, remote)
o Paths of information flow (e.g. cross-domain traffic)
12
In the broadest context, community risk is most often managed via connection approvals in accordance with CJCSI 6510.01F, Information
Assurance (IA) and Support to Computer Network Defense (CND); hwoever .
13
Available on Security Internet Protocol Router Network (SIPRNet) and the Joint Worldwide Intelligence Communications System (JWICS).
14
CAPEC is a collaborative, community-based effort creating a catalog of attack patterns and a comprehensive schema and classification
taxonomy focused on enhancing security throughout the software development lifecycle, and to support developers, testers and educators.
DoD Risk Assessment Guide April 2014
7
o Potential impact on the organization if system information is disclosed to
unauthorized personnel or the system or information is not reliable
o Information/system categorization, in accordance with CNSSI No. 1253
o Security control relationship to security objectives (confidentiality, integrity, availability )
o Accreditation boundary diagrams, system architecture, system data flow diagrams
o Independent validation or assessment reports (e.g., Security Assessment Report
(SAR) prepared by a Security Control Assessor (SCA) or designated representative)
o Plan of Action & Milestones (POA&M) for vulnerabilities
TASK 1-5: Identify Risk Model and Analytic Approach:
o Risk Model. Risk is assessed quantitatively, qualitatively, or semi-qualitatively. Due
to uncertainties and lack of quantifiable data, it is often necessary to use at best a
semi-qualitative model or more often the qualitative model. If more precision is
required to make risk-based decisions, and assuming detailed information is available
for each risk factor, a quantitative model is more desirable. If less precision is
required for risk-based decisions, or as the level of detail in information decreases for
risk factors, the less quantitative the risk model can be and the more qualitative it
must become. Regardless of the risk model used, uncertainty is inherent in evaluation
of risk, due to such considerations as: (i) limitations on the extent to which the future
will resemble the past; (ii) imperfect or incomplete knowledge of the threat (e.g.,
characteristics of adversaries including tactics, techniques, and procedures); (iii)
undiscovered vulnerabilities in technologies or products; and (iv) unrecognized
dependencies, which can lead to unforeseen impacts.
o Analytical Approach. Analysis approaches can be: (i) threat-oriented; (ii)
asset/impact-oriented; or (iii) vulnerability-oriented. NIST SP 800-30 takes primarily
a threat-oriented approach, which starts with the possible threat events and determines
the likelihood threat sources will initiate or cause those threat events to exploit
vulnerabilities or predisposing conditions and cause an impact, thereby arriving at a
risk level. The threat-oriented approach may be most appropriate during the system
categorization and the selection of controls, as the technology is usually not yet
selected at this point and the technical vulnerabilities cannot be known. Following
the security controls assessment, it is most appropriate to take a vulnerability-oriented
approach, which starts with a set of predisposing conditions or
weaknesses/deficiencies (e.g., non-compliant security controls) and then estimates the
likelihood threat sources will initiate or cause threat events that could exploit those
vulnerabilities and cause an impact, thereby arriving at a risk level. Any of the
approaches may be appropriate following authorization of the system, depending on if
a new threat or a new vulnerability is being assessed, or if there is simply a need to
determine the impact of proposed changes. The steps and tasks in this guide are
arranged to align with NIST SP 800-30, but the steps can be performed in an alternate
order to align with the DoD risk assessment approach. Regardless of the order, all
steps and tasks must be performed, to the degree possible or necessary to provide
accurate assessments of risk to the AO.
DoD Risk Assessment Guide April 2014
8
STEP 2: CONDUCT RISK ASSESSMENT
Table 2-1 is adapted from NIST SP 800-30, Tables I-5 and I-7, but the risk factors are ordered
differently. Also, for convenience the table combines the risk factors associated with adversarial
and non-adversarial threat sources. Practitioners may order risk factors appropriately to facilitate
the purpose of the risk assessment and the analytic approach. However, to ensure reciprocity in
communicating risk, all risk factors must be accounted for in the table. If risk factors are
summarized or combined in some manner, explain this in risk assessment reports.
The RMF KS content on risk assessments is focused on risk assessments following security
controls assessments; therefore, the example illustrated in this table is a vulnerability-based
approach to assessing risk. As such, it is more desirable to build the table beginning with the
vulnerability (e.g., non-compliant security controls) or predisposing condition (e.g., location of
the system in a flood plain), determine the severity or pervasiveness of each, then tie them to
threat sources with adversarial capability, intent, and targeting or non-adversarial range of effects
in order to determine the likelihood and impact necessary to assign a risk rating. Note also that
this example provides more fidelity than the risk assessment guidance provided on the RMF KS,
as that guidance is intentionally simplified (e.g., summarizes, combines, or assumes the details of
risk factors) and is focused on determining the residual risk from non-compliant security
controls. Even so, parallelism is maintained between the example here and the guidance on the
RMF KS. As practitioners gain more experience or as more fidelity is needed, more detailed risk
factor information (e.g., threat source capability, intent, and targeting) can be incorporated into
the risk assessments, as is depicted here.
Much information necessary to complete Table 2-1 may not be readily available or may have
been assumed in the DoD construct for assigning and assessing security controls (e.g., assumed
threats and vulnerabilities are associated with security controls in the implementation guidance
on the RMF KS). Also, the advanced persistent threat is just that, advanced and persistent; that
is, many adversaries are quite capable and are always scanning, exploiting, or attacking our
assets. Therefore, unless more specific, current, relevant threat information is available, risk
assessors generally assume adversarial threat capability, intent, and targeting is at least high
against more valuable assets (e.g., classified systems and/or systems with high impact values
assigned for integrity and/or availability). For most public systems, risk assessors can generally
assume adversarial threat is moderate or low, as there is less return on the adversary’s
investment. Therefore, risk assessors can “pre-populate” many of the cells in Table 2-1 with
assumed values based on security categorization and focus on determining overall likelihood and
impact relevant to specific systems. However, assumptions made in setting values in this table
must be clearly explained in risk assessment report.
Table 2-2 explains how to complete Table 2-1. Values for some risk factors are straightforward
ratings from later tasks in the risk assessment process (i.e., VH = Very High, H = High, M =
Moderate, L = Low, and VL = Very Low). Other values are text based and provide detailed
information to determine the qualitative values. The content source for each risk factor is also
explained, referencing tasks and tables from the risk assessment process explained below.
DoD Risk Assessment Guide April 2014
9
Targeting
Intent
Capability
Threat Source
Characteristics
(Adversarial)
10
11
12
13
14
15
Risk
9
Level of Impact
8
Overall Likelihood
7
Range of Effects
(Non-adversarial)
Likelihood of Threat
Event Initiation or
Occurrence
Likelihood Threat
Event Results in
Adverse Impact
6
Threat
Sources
Threat Event
5
Relevance of
Threat Event
4
Severity or
Pervasiveness
3
Security Objective
2
Vulnerabilities
or
Predisposing
Conditions
1
Column
Table 2-1: Template – Adversarial and Non-adversarial Risk
Heading
Value
1
Vulnerabilities
and
Predisposing
Conditions
Text
2
Security
Objective
C, I, A
3
Severity and
Pervasiveness
VH, H, M,
L, VL
4
Threat Event
Text
5
Relevance of
Threat Event
6
Threat Sources
Confirmed
Expected
Anticipated
Predicted
Possible
N/A
Text
7
Capability
VH, H, M,
L, VL
Content
Identify vulnerabilities (e.g., non-compliant security controls) that could
be exploited by threat sources initiating the threat event and the
predisposing conditions that could increase the likelihood of adverse
impacts.
Task 2-3.
Indicate the security objective (confidentiality, integrity, or availability (CI-A)) affected by the vulnerability or predisposing condition. The security
objective can be discerned from CNSSI No. 1253, Appendix D, Table D-1,
Security Control Baselines. NOTE: CNSSI 1253 indicates more than one
security objective can be affected, and it may be advantageous to select the
security objective most affected in order to report risk in accordance with
Task 3-1; Table 3-1.
Assess severity of vulnerabilities and pervasiveness of predisposing
conditions. The assigned vulnerability rating must take into consideration
remediation or mitigations in place (not planned). NOTE: A fully
mitigated vulnerability has no severity.
Task 2-3, Table 2-8 and Table 2-9.
Identify threat event/s. NOTE: There could be a many-to-may
relationship between threat events and the exploitable vulnerabilities or
predisposing conditions.
Task 2-2.
Determine relevance of threat event. NOTE: If the relevance of the threat
event does not meet the organization’s criteria for further consideration, do
not complete the remaining columns.
Task 2-2; Table 2-7.
Identify threat sources that could initiate the threat event. Indicate if the
threat source is adversarial or non-adversarial.
Task 2-1.
Assess adversarial threat source capability. NOTE: May be a notional
assessment based on experience, if no current threat data exists.
Task 2-1, Table 2-3.
DoD Risk Assessment Guide April 2014
10
Column
Heading
Value
8
Intent
VH, H, M,
L, VL
9
Targeting
VH, H, M,
L, VL
10
Range of
Effects, Nonadversarial
Likelihood of
Threat Event
Initiation or
Occurrence
Likelihood
Threat Event
Results in
Adverse Impact
Overall
Likelihood
VH, H, M,
L, VL
11
12
13
14
15
Content
Assess adversarial threat source intent. NOTE: May be a notional
assessment based on experience, if no current threat data exists.
Task 2-1, Table 2.4.
Assess adversarial threat source targeting. NOTE: May be a notional
assessment based on experience, if no current threat data exists.
Task 2-1, Table 2-5.
Identify the range of effects from the non-adversarial threat source.
Task 2-1; Table 2-6.
VH, H, M,
L, VL
Determine likelihood that one or more adversarial threat source initiates
the threat event, taking into consideration capability, intent, and targeting;
or, determine the likelihood the non-adversarial threat event will occur.
Task 2-4; Table 2-10.
VH, H, M,
Determine the likelihood the threat event, once initiated, will result in
L, VL
adverse impact, taking into consideration threat source capability,
vulnerabilities, and predisposing conditions.
Task 2-4; Table 2-11.
VH, H, M,
Determine the likelihood the threat event will be initiated (adversarial) or
L, VL
occur (non-adversarial) and result in adverse impacts (i.e., combination of
likelihood of attack initiation/occurrence and likelihood that initiated
attack succeeds or threat event results in adverse impact).
Task 2-4; Table 2-12.
Level of Impact VH, H, M,
Determine the adverse impact (i.e., potential harm to organizational
L, VL
operations, organizational assets, individuals, other organizations, or the
Nation) from the threat event.
Task 2-5; Table 2-13.
Risk
VH, H, M,
Determine the level of risk as a combination of likelihood and impact.
L, VL
Task 2-6; Table 2-14 and Table 2-15.
Table 2-2: Column Descriptions for Adversarial and Non-adversarial Risk Table
TASK 2-1: Identify Threat Sources
Identify and characterize threat sources15 of concern, including capability, intent, and targeting
characteristics for adversarial threats and range of effects for non-adversarial threats. Tables 2-3,
2-4, and 2-5 provide an assessment scale for characteristics of adversary capability, intent, and
targeting, respectively. Table 2-6 provides an assessment scale on the range of effects for nonadversarial threats. Identification of threat sources is conducted to some extent by DoD and is
communicated via threat information in the implementation guidance on the RMF KS.
However, if more detailed and mission-, information-, or information/PIT system-specific threat
data can be obtained, it should be included in the risk assessment. Reference Task 1-4 above for
additional sources of threat data.
Qualitative
Value
Very High
15
Description
The adversary has a very sophisticated level of expertise, is well-resourced, and can generate
opportunities to support multiple successful, continuous, and coordinated attacks.
Table D-2 in Appendix D of NIST SP 800-30 provides a taxonomy of threat sources.
DoD Risk Assessment Guide April 2014
11
Qualitative
Value
High
Moderate
Low
Very Low
Qualitative
Value
Very High
High
Moderate
Low
Very Low
Qualitative
Value
Very High
High
Moderate
Low
Very Low
Description
The adversary has a sophisticated level of expertise, with significant resources and opportunities to
support multiple successful coordinated attacks.
The adversary has moderate resources, expertise, and opportunities to support multiple successful
attacks.
The adversary has limited resources, expertise, and opportunities to support a successful attack.
The adversary has very limited resources, expertise, and opportunities to support a successful
attack.
Table 2-3: Assessment Scale – Characteristics of Adversary Capability16
Description
The adversary seeks to undermine, severely impede, or destroy a core mission or business function,
program, or enterprise by exploiting a presence in the organization’s information/PIT systems or
infrastructure. The adversary is concerned about disclosure of tradecraft only to the extent that it
would impede its ability to complete stated goals.
The adversary seeks to undermine/impede critical aspects of a core mission or business function,
program, or enterprise, or place itself in a position to do so in the future, by maintaining a presence
in the organization’s information/PIT systems or infrastructure. The adversary is very concerned
about minimizing attack detection/disclosure of tradecraft, particularly while preparing for future
attacks.
The adversary seeks to obtain or modify specific critical or sensitive information or usurp/disrupt
the organization’s cyber resources by establishing a foothold in the organization’s information/PIT
systems or infrastructure. The adversary is concerned about minimizing attack detection/disclosure
of tradecraft, particularly when carrying out attacks over long time periods. The adversary is
willing to impede aspects of the organization’s missions/business functions to achieve these ends.
The adversary actively seeks to obtain critical or sensitive information or to usurp/disrupt the
organization’s cyber resources, and does so without concern about attack detection/disclosure of
tradecraft.
The adversary seeks to usurp, disrupt, or deface the organization’s cyber resources, and does so
without concern about attack detection/disclosure of tradecraft.
Table 2-4: Assessment Scale – Characteristics of Adversary Intent17
Description
The adversary analyzes information obtained via reconnaissance and attacks to target persistently a
specific organization, enterprise, program, mission or business function, focusing on specific highvalue or mission-critical information, resources, supply flows, or functions; specific employees or
positions; supporting infrastructure providers/suppliers; or partnering organizations.
The adversary analyzes information obtained via reconnaissance to target persistently a specific
organization, enterprise, program, mission or business function, focusing on specific high-value or
mission-critical information, resources, supply flows, or functions, specific employees supporting
those functions, or key positions.
The adversary analyzes publicly available information to target persistently specific high-value
organizations (and key positions, such as Chief Information Officer), programs, or information.
The adversary uses publicly available information to target a class of high-value organizations or
information, and seeks targets of opportunity within that class.
The adversary may or may not target any specific organizations or classes of organizations.
Table 2-5: Assessment Scale – Characteristics of Adversary Targeting18
16
Source: NIST SP 800-30, Table D-3.
17
Source: NIST SP 800-30, Table D-4.
18
Source: NIST SP 800-30, Table D-5.
DoD Risk Assessment Guide April 2014
12
Qualitative
Value
Very High
High
Moderate
Low
Very Low
Description
The effects of the error, accident, or act of nature are sweeping, involving almost all of the cyber
resources of the [Tier 3: information/PIT systems; Tier 2: mission/business processes or enterprise
architecture (EA) segments, common infrastructure, or support services; Tier 1:
organization/governance structure].
The effects of the error, accident, or act of nature are extensive, involving most of the cyber
resources of the [Tier 3: information/PIT systems; Tier 2: mission/business processes or EA
segments, common infrastructure, or support services; Tier 1: organization/governance structure],
including many critical resources.
The effects of the error, accident, or act of nature are wide-ranging, involving a significant portion
of the cyber resources of the [Tier 3: information/PIT systems; Tier 2: mission/business processes
or EA segments, common infrastructure, or support services; Tier 1: organization/governance
structure], including some critical resources.
The effects of the error, accident, or act of nature are limited, involving some of the cyber
resources of the [Tier 3: information/PIT systems; Tier 2: mission/business processes or EA
segments, common infrastructure, or support services; Tier 1: organization/governance structure],
but involving no critical resources.
The effects of the error, accident, or act of nature are minimal, involving few if any of the cyber
resources of the [Tier 3: information/PIT systems; Tier 2: mission/business processes or EA
segments, common infrastructure, or support services; Tier 1: organization/governance structure],
and involving no critical resources.
Table 2-6: Assessment Scale – Range of Effects for Non-adversarial Threat Sources19
TASK 2-2: Identify Threat Events
Identify potential threat events20, relevance of the events (Table 2-7), and the threat sources that
could initiate the events. It is necessary to understand the relevance of the threat event when
determining the likelihood the event will occur (e.g., due to human error or natural disaster) or be
initiated by an adversary. If the relevance is N/A, the threat/vulnerability pairing results in no
risk (i.e., zero threat times any value for vulnerability equals zero).
NIST SP 800-30 Appendix E provides: (i) a description of potentially useful inputs to the threat
event identification task; (ii) representative examples of adversarial threat events expressed as
tactics, techniques, and procedures and non-adversarial threat events; (iii) an exemplary
assessment scale for the relevance of those threat events; and (iv) templates for summarizing and
documenting results of threat identification.
To some extent, this task is conducted by DoD and is communicated via threat information
provided in the implementation guidance on the RMF KS. However, more robust risk
assessments require more detailed, more relevant, and more current information on threat
sources; therefore, it is necessary to reference the sources listed in Task 1-4 above.
Threat events can be described in terms of specific information/PIT systems, technologies, or
environments of operation. There can be a many-to-many relationship among threat events and
threat sources. Identify how each event could potentially harm organizational operations.
19
Source: NIST SP 800-30, Table D-6.
Table E-2 in Appendix E of NIST SP 800-30 provides representative examples of adversarial threat events and Table E-3 provides
representative examples of non-adversarial threat events.
20
DoD Risk Assessment Guide April 2014
13
Qualitative
Value
Confirmed
Expected
Anticipated
Predicted
Possible
N/A
Description
Threat event or TTP has been seen by the organization.
Threat event or TTP has been seen by the organization’s peers or partners.
Threat event or TTP has been reported by a trusted source.
Threat event or TTP has been predicted by a trusted source.
Threat event or TTP has been described by a somewhat credible source.
Threat event or tactic, technique, or procedure (TTP) is not currently applicable. For example, a
threat event or TTP could assume specific technologies, architectures, or processes that are not
present in the organization, mission/business process, enterprise architecture segment, or
information/PIT system; or predisposing conditions that are not present (e.g., location in a flood
plain). Alternately, if the organization is using detailed or specific threat information, a threat
event or TTP could be deemed inapplicable because information indicates no adversary is expected
to initiate the threat event or use the TTP.
Table 2-7: Relevance of Threat Events
TASK 2-3: Identify Vulnerabilities and Predisposing Conditions
Identify vulnerabilities and predisposing conditions affecting the likelihood threat events of
concern result in adverse impacts.
If the purpose of a risk assessment is to identify residual risk following the security controls
assessment, risk assessors must analyze results of security controls assessments to determine the
degree of compliance to implementation procedures found on the RMF KS. Non-compliance
with security controls (to varying degrees) implies vulnerabilities exist within the system or
environment of operations, assuming no compensating controls or mitigations exist.
NOTE: Raw vulnerability ratings are typically determined by reviewing DISA publication
guides, checklists, and/or databases from vulnerability scan engines such as GoldDisk, Security
Readiness Review (SRR) scripts, or Retina. Raw vulnerability ratings (i.e., findings) are
discussed in the Security Assessment Report, as are all mitigations, but raw vulnerability ratings
are not recorded in Table 2.1. As can be discerned from Table 2-8, the assigned vulnerability
rating must take into consideration remediation or mitigations in place (not planned); also, there
is no vulnerability if the raw finding is fully mitigated.
The severity of a vulnerability is an assessment of the relative importance of mitigating such a
vulnerability. Also, in analyzing the system-specific information in the authorization package, it
is possible to identify predisposing conditions that may increase the likelihood (e.g., computing
facility is located in a flood plain or earthquake zone) or decrease the likelihood (stand-alone
system with no need for typical boundary protection) that one or more threat events, once
initiated by threat sources, result in adverse impacts.21 Risk assessors must understand the
severity of the vulnerabilities and the pervasiveness/range of effects of the predisposing
conditions when assessing risk in the overall framework presented above. Table 2-8 provides an
assessment scale for vulnerability severity. Table 2-9 provides an assessment scale for
pervasiveness of predisposing conditions.
21
Table F-4 in Appendix F of NIST SP 800-30 provides a taxonomy of predisposing conditions, to include details about information-related,
technical, and operational/environmental predisposing conditions.
DoD Risk Assessment Guide April 2014
14
Qualitative
Value
Very High
High
Moderate
Low
Very Low
Description
The vulnerability is exposed and exploitable, and its exploitation could result in severe impacts.
Relevant security control or other remediation is not implemented and not planned; or no security
measure can be identified to remediate the vulnerability.
The vulnerability is of high concern, based on the exposure of the vulnerability and ease of
exploitation and/or on the severity of impacts that could result from its exploitation.
Relevant security control or other remediation is planned but not implemented; compensating
controls are in place and at least minimally effective.
The vulnerability is of moderate concern, based on the exposure of the vulnerability and ease of
exploitation and/or on the severity of impacts that could result from its exploitation.
Relevant security control or other remediation is partially implemented and somewhat effective.
The vulnerability is of minor concern, but effectiveness of remediation could be improved.
Relevant security control or other remediation is fully implemented and somewhat effective.
The vulnerability is not of concern.
Relevant security control or other remediation is fully implemented, assessed, and effective.
Table 2-8: Assessment Scale – Vulnerability Severity
Qualitative
Value
Very High
High
Moderate
Low
Very Low
Description
Applies to all organizational missions/business functions (Tier 1), mission/business processes (Tier
2), or information/PIT systems (Tier 3).
Applies to most organizational missions/business functions (Tier 1), mission/business processes
(Tier 2), or information/PIT systems (Tier 3).
Applies to many organizational missions/business functions (Tier 1), mission/business processes
(Tier 2), or information/PIT systems (Tier 3).
Applies to some organizational missions/business functions (Tier 1), mission/business processes
(Tier 2), or information/PIT systems (Tier 3).
Applies to few organizational missions/business functions (Tier 1), mission/business processes
(Tier 2), or information/PIT systems (Tier 3).
Table 2-9: Assessment Scale – Pervasiveness of Predisposing Conditions
TASK 2-4: Determine Likelihood
Determine the likelihood threat events of concern result in adverse impacts. The overall
likelihood of a threat event is a combination of: (i) the likelihood the event will occur (e.g., due
to human error or natural disaster) or be initiated by an adversary; and (ii) the likelihood the
initiation/occurrence will result in adverse impacts. The following summarizes task activities:
• Identify likelihood determination factors using information sources identified above (e.g.,
threat source characteristics, vulnerabilities, predisposing conditions).
• Assess the likelihood of threat event initiation for adversarial threats and the likelihood of
threat event occurrence for non-adversarial threats.22
• Assess the likelihood of threat events resulting in adverse impacts, given likelihood of
initiation or occurrence.23
• Assess the overall likelihood of threat event initiation/occurrence and likelihood of threat
events resulting in adverse impacts.24
22
Tables G-2 and G-2 in NIST SP 800-30 provide assessment scales for likelihood of threat event initiation (adversarial) and likelihood of threat
event occurrence (non-adversarial).
23
Table G-4 in NIST SP 800-30 provides an assessment scale for likelihood of threat event resulting in adverse impacts.
24
Table G-5 of NIST SP 800-30 provides an assessment scale for overall likelihood.
DoD Risk Assessment Guide April 2014
15
NOTE: To determine overall likelihood of a non-compliant security control (i.e., a vulnerability)
being exploited, the SCA must consider available or known system mitigations and/or
compensating controls (i.e. other security controls supporting the same or similar objective).
Consider also the threat environment of the system, technical possibility of an exploit, policy or
procedure vulnerability, and any other factors considered relevant to possible exploitation.
Mitigation measures may be strong, moderate, or weak. The SCA analyzes mitigations and
compensating controls actually in place (not planned) that tend to protect the vulnerability from
exploitation. A planned mitigation or compensating control cannot lower risk until implemented.
Use Table 2-10 to select the likelihood a threat event will be initiated or will occur.25 Use Table
2-11 to determine the likelihood of a threat event resulting in adverse impacts. Use Table 2-12 to
determine the overall likelihood rating. NOTE: Table 2-12 is not created for each likelihood
pairing; rather, it is used only to determine the overall likelihood rating to be entered into a risk
table, such as Table 2.1 above.
Qualitative
Value
Very High
Description
Qualitative
Value
Very High
High
Moderate
Description
Adversary is almost certain to initiate the threat event (i.e., adversary capability, intent, and/or
targeting are very high).
or
Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a year.
High
Adversary is highly likely to initiate the threat even (i.e., adversary capability, intent, and/or
targeting are high).
or
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a year.
Moderate
Adversary is somewhat likely to initiate the threat event (i.e., adversary capability, intent, and
targeting are moderate).
or
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times a year.
Low
Adversary is unlikely to initiate the threat event (i.e., adversary capability, intent, and/or targeting
are low).
or
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more
than once every 10 years.
Very Low
Adversary is highly unlikely to initiate the threat event (i.e., adversary capability, intent, and/or
targeting are very low).
or
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10
years.
Table 2-10: Likelihood of Threat Event Initiation (Adversarial) or Occurrence (Non-Adversarial)
If the threat event is initiated or occurs, it is almost certain to have adverse impacts.
If the threat event is initiated or occurs, it is highly likely to have adverse impacts.
If the threat event is initiated or occurs, it is somewhat likely to have adverse impacts.
This table is a combination of Table G-2, Assessment Scale – Likelihood of Threat Event Initiation (Adversarial) and Table G-3, Assessment
Scale – Likelihood of Threat Event Occurrence (Non-Adversarial) in NIST SP 800-30. In deciding which description to use at a given level,
determine if the vulnerability or predisposing condition can be related to or exploited by an adversarial threat or a non-adversarial threat.
25
DoD Risk Assessment Guide April 2014
16
Low
Very Low
Likelihood of
Threat Event
Initiation or
Occurrence
If the threat event is initiated or occurs, it is unlikely to have adverse impacts.
If the threat event is initiated or occurs, it is highly unlikely to have adverse impacts.
Table 2-11: Likelihood of Threat Event Resulting in Adverse Impacts 26
Likelihood Threat Events Result in Adverse Impact
Very Low
Low
Moderate
High
Very High
Very High
Low
Moderate
High
Very High
Very High
High
Low
Moderate
Moderate
High
Very High
Moderate
Low
Low
Moderate
Moderate
High
Low
Very Low
Low
Low
Moderate
Moderate
Very Low
Very Low
Very Low
Low
Low
Low
Table 2-12: Overall Likelihood
27
TASK 2-5: Determine Impact
Determine the adverse impacts28 from threat events of concern considering: (i) the characteristics
of the threat sources that could initiate the events; (ii) the vulnerabilities (e.g., non-compliant
security controls) and predisposing conditions identified; and (iii) the susceptibility reflecting the
safeguards/countermeasures (i.e., compliant and effective security controls) planned29 or
implemented to impede such events. Adverse impacts are initially associated with
information/PIT system capabilities (e.g., processing, display, communications, storage, and
retrieval) and resources (e.g., databases, services, components) that could be compromised.
However, risk assessors must ultimately consider adverse impacts in terms of the potential harm
caused to organizational operations. That is, risk assessors must understand impact not only in
terms of the information/PIT system, but to the mission/operation harmed by the system’s
vulnerability. Table 2-13 provides descriptions of the impact of threat events.
Qualitative
Values
Very High
High
Moderate
26
Impact of Threat Events
The threat event could be expected to have multiple severe or catastrophic adverse effects.
The threat event could be expected to have a severe or catastrophic adverse effect. For example,
the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent
and duration that the organization is not able to perform one or more of its primary functions; (ii)
result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in
severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.
The threat event could be expected to have a serious adverse effect. For example, the threat event
might: (i) cause a significant degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness of the functions is
significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in
significant financial loss; or (iv) result in significant harm to individuals that does not involve loss
of life or serious life-threatening injuries.
Source: NIST SP 800-53, Appendix G, Table G-4
27
Source: NIST SP 800-53, Appendix G, Table G-5, with modifications.
NIST SP 800-30, Appendix H, Table H-2 provides examples of adverse impacts, in terms of harm to operations, assets, individuals, other
organizations, and the nation.
29
A planned safeguard/countermeasure cannot provide mitigation, but the AO may need to consider if/when a future safeguard/countermeasure
will be effective in mitigating a risk accepted in the interim.
28
DoD Risk Assessment Guide April 2014
17
Qualitative
Values
Low
Very Low
Impact of Threat Events
The threat event could be expected to have a limited adverse effect. For example, the threat event
might: (i) cause a degradation in mission capability to an extent and duration that the organization
is able to perform its primary functions, but the effectiveness of the functions is noticeably
reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or
(iv) result in minor harm to individuals.
The threat event could be expected to have a negligible adverse effect.
Table 2-13: Impact of Threat Events30
TASK 2-6: Determine Risk
Determine the risk to the organizational operations, organizational assets, individuals, other
organizations, or the Nation from threat events of concern considering: (i) the impact that would
result from the events; and (ii) the likelihood of the events occurring. The level of risk
associated with identified threat events represents a determination of the degree to which
organizational operations, organizational assets, individuals, other organizations, or the Nation
are threatened by such events. NIST SP 800-30 explains that each risk corresponds to a specific
threat event with a level of impact if that event occurs. If examining risk from a vulnerabilityoriented approach, each risk corresponds to a specific vulnerability (e.g., non-compliant security
control). In general, the risk level is typically not higher than the level of impact, and likelihood
can serve to reduce risk below that level.
To determine a risk rating, find the intersection in Table 2-14 for the Overall Likelihood and the
Level of Impact ratings determined above. Table 2-15 explains the risk level with respect to
organizational operations, organizational assets, individuals, other organizations, or the Nation.
Likelihood
(Threat Event
Occurs and
Results in
Adverse Impact)
Level of Impact
Very Low
Low
Moderate
High
Very High
Very High
Very Low
Low
Moderate
High
Very High
High
Very Low
Low
Moderate
High
Very High
Moderate
Very Low
Low
Moderate
Moderate
High
Low
Very Low
Low
Low
Low
Moderate
Very Low
Very Low
Very Low
Low
Low
Table 2-14: Level of Risk (Combination of Likelihood and Impact)
30
Source: Draft NIST SP 800-30, Appendix H
31
Source: NIST SP 800-30, Appendix I, Table I-2.
DoD Risk Assessment Guide April 2014
Low
31
18
Qualitative
Values
Very High
High
Moderate
Low
Very Low
Description
Very high risk means that a threat event could be expected to have multiple severe or
catastrophic adverse effects on organizational operations, organizational assets, individuals, other
organizations, or the Nation.
High risk means that a threat event could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, individuals, other organizations, or the
Nation.
Moderate risk means that a threat event could be expected to have a serious adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the Nation.
Low risk means that a threat event could be expected to have a limited adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the Nation.
Very low risk means that a threat event could be expected to have a negligible adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the Nation.
Table 2-15: Risk Level Descriptions32
STEP 3: COMMUNICATE AND SHARE RISK ASSESSMENT RESULTS
TASK 3-1: Communicate Risk Assessment Results
Communicate risk assessment results to organizational decision makers to support risk
responses. Various tools (automated or manual) may be used to accomplish this task, but Table
2-1 above may serve this purpose.
NIST SP 800-30 does not attempt to roll individual threat event risk levels (e.g., line entries from
Table 2-1) up to a system level risk rating. While it may be desirable to understand or
communicate the overall risk for a system, the AO’s risk responses must often be tied to
individual vulnerabilities (e.g., non-compliant security controls listed in the POA&M).
Risk assessors must often prioritize risks. The risk assessment may identify a number of risks
that have similar ratings. When too many risks are clustered at or about the same value, risk
assessors must refine the presentation of risk assessment results, prioritizing within sets of risks
with similar values. Prioritization considers the mission/business requirements, consistent with
the AO’s risk tolerance, and maximizes the use of available resources. Prioritization is necessary
when requirements cannot be fully satisfied or when resources do not allow all risks to be
mitigated within a reasonable time frame. To facilitate the AO’s informed risk response
decisions (e.g., why certain risks were or were not mitigated), the risk assessment results are
annotated to enable the AO to know or obtain the answers to the following questions about each
risk in a set with similar scores:
• Time Frame: How high would the immediate impact be as compared to the future impact
if a risk materializes?
• Total Cumulative Impact: What is the expected impact from a single occurrence of a
threat; if the risk can materialize more than once, what is the overall expected impact?
• Synergies Among Risks: If a risk materializes that is closely related to multiple risks, will
a cluster of risks materialize at or near the same time?
32
Source: NIST SP 800-30, Appendix I, Table I-3.
DoD Risk Assessment Guide April 2014
19
TASK 3-2: Share Risk-related Information
Share risk-related information produced during the risk assessment with appropriate
organizational personnel, such as Information Security Officers/Managers, Information System
Owners (or Program Managers), User Representative or Information Owner/Steward, Senior
Information Security Officer (SISO) or Chief Information Owner (CIO) (i.e., for systems with
High or Very High risk non-compliant security controls), operational community responsible for
maintaining the system’s security posture, network operations centers with purview over
networks hosting the system, etc.
The AO must provide feedback to the Information System Owner on which vulnerabilities (e.g.,
non-compliant security controls) must be corrected by when. Feedback is based on prioritization
of risks. The feedback may be provided in the POA&M per vulnerabilities and/or in an
authorization memo (e.g., Authorization to Operate (ATO) with conditions).
STEP 4: MAINTAIN THE ASSESSMENT
TASK 4-1: Monitor Risk Factors
Conduct ongoing monitoring of the risk factors contributing to changes in risk to organizational
operations and assets, individuals, other organizations, or the Nation.
Monitor changing conditions that could potentially affect the ability to conduct core missions
and business functions. Capture changes in the effectiveness of risk response measures in order
to maintain the currency of risk assessments. Coordinate with Information System Owners to
work POA&M action items and completion dates required by the AO in an authorization
decision. Review the POA&M regularly to determine which items require additional attention or
resources and report to the AO any action item completion date not met.
This step to maintain the assessment results over time overlaps to some degree with the risk
monitoring step in the risk management process (NIST SP 800-39) and the continuous
monitoring step in the RMF.33 This overlap reinforces the important concept that many of the
activities in the risk management process are complementary and mutually reinforcing.
TASK 4-2: Update Risk Assessment
Update existing risk assessment using the results from ongoing monitoring of risk factors.
If significant changes have occurred since the risk assessment was conducted, revisit the
purpose, scope, assumptions, and constraints of the assessment to determine whether all tasks in
the risk assessment process need to be repeated. Otherwise, the updates constitute subsequent
33
Reference NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations
DoD Risk Assessment Guide April 2014
20
risk assessments, identifying and assessing only how selected risk factors have changed, for
example: (i) the identification of new threat events, vulnerabilities, predisposing conditions,
undesirable consequences and/or affected assets; and (ii) the assessments of threat source
characteristics (e.g., capability, intent, targeting, range of effects), likelihoods, and impacts.
Communicate the results of subsequent risk assessments to the AO to ensure they have
information needed to make ongoing risk-based decisions.
Following issuance of the authorization decision (i.e., ATO or ATO with conditions) and
establishment of the accepted risk level, any changes to the system must be assessed by the
system’s Information System Security Manager (ISSM) to ascertain if the change increases the
risk level. The ISSM is critical in the initiation of the change review process. The ISSM must
consult the SCA for an assessment of any change to the system to determine if the system
authorization is at jeopardy and re-authorization is required. The rule of thumb is that if the
implementation of a security control is affected by the change (especially for security or securityenabled products), there must be an assessment of the security control implementation, as was
done to support the initial system authorization. Therefore, the SCA must assess the
implementation of the security control/s and determine if the risk level remains consistent with
the current authorization.
DoD Risk Assessment Guide April 2014
21
Related documents
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
Reasons for Reporting an Incident
Reasons for Reporting an Incident
guide - London First
guide - London First
Executive Level Security Caliber Security Partners is a different kind
Executive Level Security Caliber Security Partners is a different kind
Review Questions
Review Questions
Risk Assessment-Security Plan
Risk Assessment-Security Plan
Presentation - WordPress.com
Presentation - WordPress.com
Message to Parents RE: Lockdown
Message to Parents RE: Lockdown
Colonel Jeff Cooper - Mount Adams Fish and Game Association
Colonel Jeff Cooper - Mount Adams Fish and Game Association
Download
advertisement