1. Home
  2. FedRAMP
  3. RA-3

BRACKETOLOGY | FEDRAMP

RA-3: SECURITY CATEGORIZATION

  • FedRAMP Baseline Membership RA-3:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
    • b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
    • c. Reviews risk assessment results [Assignment: organization-defined frequency];
    • d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
    • e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
  • b. Documents risk assessment results in report; security assessment report;
  • c. Reviews risk assessment results in accordance with OMB A-130 requirements or when a significant change occurs;
  • d. Disseminates risk assessment results to organization-defined personnel or roles; and
  • e. Updates the risk assessment in accordance with OMB A-130 requirements or when a significant change occurs or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

FedRAMP GUIDANCE:

RA-3: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

FedRAMP REQUIREMENT:

RA-3d.: Include the Authorizing Official; for JAB authorizations to include FedRAMP.

The organization:

  • a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
  • b. Documents risk assessment results in report; security assessment report;
  • c. Reviews risk assessment results in accordance with OMB A-130 requirements or when a significant change occurs;
  • d. Disseminates risk assessment results to organization-defined personnel or roles; and
  • e. Updates the risk assessment in accordance with OMB A-130 requirements or when a significant change occurs or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

FedRAMP GUIDANCE:

RA-3: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

FedRAMP REQUIREMENT:

RA-3d.: Include the Authorizing Official; for JAB authorizations to include FedRAMP.

The organization:

  • a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
  • b. Documents risk assessment results in report; security assessment report;
  • c. Reviews risk assessment results in accordance with OMB A-130 requirements or when a significant change occurs;
  • d. Disseminates risk assessment results to organization-defined personnel or roles; and
  • e. Updates the risk assessment in accordance with OMB A-130 requirements or when a significant change occurs or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

FedRAMP GUIDANCE:

RA-3: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

FedRAMP REQUIREMENT:

RA-3d.: Include the Authorizing Official; for JAB authorizations to include FedRAMP.


SUPPLEMENTAL GUIDANCE

"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.

Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation."

CONTROL ENHANCEMENTS

NO CONTROL ENHANCEMENTS

REFERENCES:

  • NIST Special Publication 800-30
  • NIST Special Publication 800-39
  • OMB Memorandum 04-04
  • http://idmanagement.gov