NIST 800-53 r5 · Controls catalogue · Family RA
RA-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}: {{ insert: param, ra-01_odp.03 }} risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and Review and update the current risk assessment: Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Risk assessment policy requires systematic evaluation of access control decisions, reducing the likelihood that improper access control remains unaddressed. |
CWE-269 | Improper Privilege Management | 2,907 | Periodic policy-driven reviews of privileges and roles make improper privilege management more likely to be detected and corrected. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Risk assessment procedures include review of permission assignments on critical resources, directly lowering the chance of persistent incorrect assignments. |
CWE-693 | Protection Mechanism Failure | 476 | Documented risk assessment processes ensure protection mechanisms are identified, evaluated, and maintained rather than failing due to neglect. |
CWE-657 | Violation of Secure Design Principles | 19 | Formal risk assessment policy and procedures directly enforce consistent application of secure design principles across the organization. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||