Overview
Framework Reference: NIST SP 800 series Risk Management Framework (RMF)
Purpose
To identify, evaluate, and prioritize risks to organizational operations, assets, and individuals arising from the operation and use of information systems. This assessment supports informed decision-making and strategic mitigation planning.
Assessment Structure
1. System Characterization
- Define system boundaries, architecture, data flows, and interconnections
- Identify critical assets, stakeholders, and mission dependencies
2. Threat Identification
- Catalog potential threat sources (e.g., nation-state actors, insider threats, supply chain vulnerabilities)
- Use threat intelligence feeds and historical incident data
3. Vulnerability Analysis
- Assess system weaknesses across hardware, software, configurations, and human factors
- Leverage automated scanning tools and manual reviews
4. Impact Analysis
- Evaluate consequences of successful exploitation (confidentiality, integrity, availability)
- Align with FIPS 199 impact levels: Low, Moderate, High
5. Likelihood Determination
- Estimate probability of threat events exploiting vulnerabilities
- Consider threat capability, intent, and system exposure
6. Risk Determination
- Combine impact and likelihood to quantify risk
- Prioritize risks using a matrix or scoring model
7. Control Recommendations
- Map risks to NIST SP 800-53 security controls
- Recommend technical, administrative, and physical safeguards
8. Residual Risk Evaluation
Document acceptance or mitigation strategy
Assess remaining risk after controls are implemented
