RA-3(2)—Risk Assessment | Use of All-source Intelligence
>Control Description
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Organizations employ all-source intelligence to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of information derived from all available sources, including publicly available or open-source information, measurement and signature intelligence, human intelligence, signals intelligence, and imagery intelligence. All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and unintentional) from development, manufacturing, and delivery processes, people, and the environment.
The risk analysis may be performed on suppliers at multiple tiers in the supply chain sufficient to manage risks. Organizations may develop agreements to share all-source intelligence information or resulting decisions with other organizations, as appropriate.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your organization's documented risk assessment policy and how does it address the requirements of RA-3(2)?
- •Who has been designated as responsible for conducting and maintaining risk assessments?
- •How frequently are risk assessments conducted and what triggers an update to the risk assessment?
Technical Implementation:
- •What methodology or framework do you use to conduct risk assessments?
- •How do you identify and categorize threats and vulnerabilities during the risk assessment process?
- •What tools or systems support your risk assessment activities?
Evidence & Documentation:
- •Can you provide the most recent risk assessment report?
- •What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
- •Where are risk assessment results documented and how long are they retained?
Ask AI
Configure your API key to use AI features.