Description: In-depth, comprehensive, professionally developed risk management strategy and risk assessment program that includes documentation on all essential subject matter for developing a risk management strategy, along with performing a risk assessment as required by NIST SP 800-53, Revision 5.
Note:DoD & Cleared contractors in industry are required to perform, at a minimum, an annual risk assessment, and one that is specific to an actual ‘system’. While the DCSA DAAPM, and other related DoD documentation provides examples of a risk assessment (i.e., Risk Assessment Report – Appendix C of the DAAPM), they do not provide detailed information – and examples – of the threat sources. Developing and documenting such information can be time-consuming.
As such, the following Risk Assessment Program provided within this document lists approximately 110 ‘Threat Events and Vulnerabilities’ that can be used when assessing MUSA, SUSA, LAN, WAN, or any other type of DoD environments.
Specifications:Developed in accordance with NIST SP 800-53, Revision 5 (12-10-2020), and other related security control frameworks, where applicable.
Control Family: Risk Assessment (RA).
Control Mapping:RA-3, PM-9, and suffices for DAAPM Appendix C.
Security Control Baseline Coverage:Includes coverage for all LOW, MOD, and HIGH Baselines, per NIST SP 800-53B (12-10-2020).
Direct Compliance Use:FISMA, FedRAMP, NISP eMASS RMF, and other related NIST RMF reporting requirements for security and privacy. Can be used for mapping to DFARS NIST 800-171 and CMMC controls, where applicable.