NIST 800-53 r5 · Controls catalogue · Family RA
RA-3Risk Assessment
Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; Document risk assessment results in {{ insert: param, ra-03_odp.01 }}; Review risk assessment results {{ insert: param, ra-03_odp.03 }}; Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Explicit evaluation of disclosure risks from sensitive data processing drives controls that reduce exposure to unauthorized actors. |
CWE-284 | Improper Access Control | 4,832 | Risk assessment explicitly identifies threats from unauthorized access and drives decisions to implement or strengthen access control mechanisms. |
CWE-287 | Improper Authentication | 4,730 | Assessment of authentication-related threats and vulnerabilities leads to remediation of missing or weak authentication controls. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Assessment of system vulnerabilities includes permission and privilege misconfigurations that enable unauthorized resource access. |
CWE-285 | Improper Authorization | 1,230 | The control requires determining likelihood and impact of unauthorized actions, directly surfacing and mitigating authorization weaknesses. |
CWE-693 | Protection Mechanism Failure | 476 | Periodic review of protection effectiveness against identified threats directly addresses failures in security mechanisms. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | The control specifically requires assessing adverse effects from PII processing, directly mitigating privacy-related information exposure. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||