Risk Assessment (RA)

Risk Assessment (RA) security controls provide guidance for identification and management of security risks to information systems. Risk assessment is an ongoing process of identifying the likelihood of a given threat-source exercising a potential vulnerability, and the resulting impact of that adverse event on the information system and organization. Risk management is a process that allows Program Management Offices (PMO) to balance the operational and economic costs of protective measures to achieve gains in mission capability by protecting the information systems and data that support their missions.

Risk assessments are performed throughout the system development life cycle (SDLC) to assess security threats and vulnerabilities and ensure the appropriate security controls are planned and implemented. Therefore, risk assessment should be completed as part of system design, prior to system implementation, and on routine changes to the system. Risk assessments address the magnitude of harm that could result from the loss, unauthorized modification, or disclosure of information (including information and information systems managed and operated by external parties).

The risk assessment process shall be integrated within the SDLC and shall be tailored to the particular phase of the Office of Personnel Management (OPM) SDLC in which it occurs. Some risk assessment activities may not take place in all phases of the SDLC, or may take on a

modified methodology. When assessing a system, provisions should be made for those security activities that may be missing. Part of the assessment will be determining which, or how many, activities need to be completed from prior phases in the SDLC. With respect to risk assessments completed by OPM personnel, phases include Initiation, Acquisition/Development,

Operations/Maintenance, and Disposal.

Policy: OPM shall assess the risk to operations (including mission and functions), image, reputation, assets, and individuals resulting from the operation of information systems and the processing, storage, and transmission of information whenever change occurs. Initial

vulnerability scans for new systems and routine scans as part of the ongoing continuous monitoring shall be conducted.

5.3.1 Risk Assessment Policy and Procedures (RA-1)

The policies under this family are implemented with the OPM Risk Assessment Procedure. Risk assessment procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary.

5.3.2 Security Categorization (RA-2)

The System Owner (SO) shall ensure categorization of the information system and the information processed, stored, or transmitted by the system in accordance with Federal Information Processing Standard (FIPS) 199, National Institute of Standards and Technology (NIST) SP 800-60, and other applicable laws, Executive orders, directives, policies, regulations, standards, and guidance using the OPM FIPS 199 template. The security categorization results (including supporting rationale) shall be documented in the System Security Plan (SSP). The Authorizing Official (AO) shall review and approve the security categorization.

To establish sensitivity ratings, the security categorization for each information type and the information system shall be determined. The criteria for establishing security categories are defined in NIST SP 800-60, Guide for Types of Information and Information Systems to Security Categories. The FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, provides criteria to determine the potential impact level for each security objective. Establishing a SC requires determining the potential impact for each security

objective associated with an information type. Once the NIST SP 800-60 sensitivity ratings have been established for each information type, the information is used to determine the SC for the system. An initial Preliminary Risk Assessment provides the foundation for the SSP, including the establishment of a system’s sensitivity level by identification of Security Categories for the information system and information type, identification of threats to the system, determination of information and system sensitivity levels (FIPS 199), and validation of security controls

necessary (NIST SP 800-53),to ensure security.

OPM shall conduct the security categorization process as an organization-wide activity with the involvement of the SO, Information System Security Officer (ISSO), Information Owner (IO), Chief Information Security Officer (CISO), and Chief Information Officer (CIO). The security categorization process facilitates the creation of an inventory of information assets.

A clearly defined authorization boundary is a prerequisite for an effective security

categorization. Security categorization describes the potential adverse impacts to organizational operations, organizational assets, and individuals should the information and information system be comprised resulting in a loss of confidentiality, integrity, or availability. Potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts shall also be considered in categorizing information systems.

5.3.3 Risk Assessment (RA-3)

Risk assessments (either formal or informal) can be conducted by organizations at various steps in the Risk Management Framework (RMF), as they are integrated into every phase of the system development life cycle (SDLC). Risk assessments shall be accomplished prior to the implementation of system changes to determine impacts to the security controls established for the system. Risk assessments support and also may be part of the Security Assessment and Authorization process. Risk Assessments for OPM systems are documented in the Security Assessment Report (SAR) that contains both the risk assessment methodology and results of the risk assessment.

OPM SOs shall ensure:

• Assessment of risk is conducted, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits which supports the operations and assets of the OPM (including information and information systems managed and operated by external parties);

• System risk assessment results are documented in the Security Assessment Report (SAR);

• The SAR is updated at least annually and submitted to the CISO office; and

• The SAR is updated at least annually in conjunction with the security assessment or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the level of residual risk posed to organizational operations and assets, individuals, other organizations, and the Nation based on the operation of the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). Risk assessments also take into account public access to OPM information systems. In accordance with Office of Management and Budget (OMB) policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information.

Reference IA-8.

5.3.4 Vulnerability Scanning (RA-5)

Vulnerability scanning includes scanning for specific functions, ports, protocols, and services that should not be accessible to users or devices and for improperly configured or incorrectly operating information flow mechanisms. The security categorization of the information system guides the frequency and comprehensiveness of the vulnerability scans. Vulnerability analysis for custom software and applications may require additional, more specialized techniques and approaches (e.g., web-based application scanners, source code reviews, source code analyzers).

System Owners (SOs) shall ensure:

• Scanning for vulnerabilities in the information system and hosted applications is

completed at least quarterly for high systems and semi-annually for other systems, and when new vulnerabilities potentially affecting the system/applications are identified and reported.

• Employment of vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for:

• Enumerating platforms, software flaws, and improper configurations;

• Formatting and making transparent, checklists and test procedures; and

• Measuring vulnerability impact.

Security Content Automation Protocol (SCAP) validated tools shall be used where and when available (e.g., Federal Desktop Core Configuration – FDCC). Tools that express

vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities shall be considered. The Common Weakness Enumeration (CWE) and the National Vulnerability Database (NVD) are also excellent sources for vulnerability information.

• Analysis of vulnerability scan reports and results from security control assessments and track vulnerabilities in the Plan of Action and Milestones (POA&Ms) that could not be remediated within 30 days.

• Remediation of legitimate vulnerabilities in accordance with the OPM Risk Assessment Procedure.

• Note: Risk must be assessed for all vulnerabilities identified during scanning. The remediation timeline applies to vulnerabilities that OPM plans to address, and does not apply to proven false positives and vulnerabilities that will be accepted.

• Share information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

OPM shall employ vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned. (Moderate and High)

SOs shall ensure:

• The list of information system vulnerabilities scanned weekly is updated or when new vulnerabilities are identified and reported.

• Employment of vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

• Attempts are made to discern what information about the information system is vulnerable to adversaries.

• Privileged access authorization to system devices (network components, servers, workstations, etc.) and databases is included for selected vulnerability scanning activities to facilitate more thorough scanning.

• Employment of automated mechanisms real-time, to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials. (High).