Information Technology Reference
In-Depth Information
Category/
Subcategory/ 
Element
Control 
Reference
Control Summary
Interpretation
RA-3
Risk assessment
The organization conducts
assessments of the risk and
magnitude of harm that could
result from the unauthorized
access, use, disclosure, disruption,
modification, or destruction of
information and information
systems that support the
operations and assets of the
agency (including information and
information systems managed/
operated by external parties).
RA-4
Risk assessment
update
The organization updates the risk
assessment [assignment:
organization-defined frequency]
or whenever there are significant
changes to the information system,
the facilities where the system
resides, or other conditions that
may impact the security or
accreditation status of the system.
RA-5
Vulnerability
scanning
The organization scans for
vulnerabilities in the information
system [assignment: organization-
defined frequency] or when
significant new vulnerabilities
potentially affecting the system
are identified and reported.
System and
Serices Acquisition
SA
SA-1
System and services
acquisition policy
and procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented system and services
acquisition policy that includes
information security
considerations and that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the system and services
acquisition policy and associated
system and services acquisition
controls.
 
Search WWH ::




Custom Search