myctrl.tools
Compare

RA-2(1)Impact-Level Prioritization

>Control Description

Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.

>Cross-Framework Mappings

SCF

RSK-02.1
Compare

>Supplemental Guidance

Organizations apply the high-water mark concept to each system categorized in accordance with FIPS 199, resulting in systems designated as low impact, moderate impact, or high impact. Organizations that desire additional granularity in the system impact designations for risk-based decision-making, can further partition the systems into sub-categories of the initial system categorization. For example, an impact-level prioritization on a moderate-impact system can produce three new sub-categories: low-moderate systems, moderate-moderate systems, and high-moderate systems.

Impact-level prioritization and the resulting sub-categories of the system give organizations an opportunity to focus their investments related to security control selection and the tailoring of control baselines in responding to identified risks. Impact-level prioritization can also be used to determine those systems that may be of heightened interest or value to adversaries or represent a critical loss to the federal enterprise, sometimes described as high value assets. For such high value assets, organizations may be more focused on complexity, aggregation, and information exchanges.

Systems with high value assets can be prioritized by partitioning high-impact systems into low-high systems, moderate-high systems, and high-high systems. Alternatively, organizations can apply the guidance in CNSSI 1253 for security objective-related categorization.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your organization's documented risk assessment policy and how does it address the requirements of RA-2(1)?
  • Who has been designated as responsible for conducting and maintaining risk assessments?
  • How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

  • What methodology or framework do you use to conduct risk assessments?
  • How do you identify and categorize threats and vulnerabilities during the risk assessment process?
  • What tools or systems support your risk assessment activities?
  • How do you determine the security categorization of systems and information?

Evidence & Documentation:

  • Can you provide the most recent risk assessment report?
  • What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
  • Where are risk assessment results documented and how long are they retained?
  • Can you show the security categorization documentation for each system in scope?

Ask AI

Configure your API key to use AI features.