NIST CSF 2.0 · All Functions · ID Identify · ID.RA Risk Assessment

ID.RA-01

Vulnerabilities in assets are identified, validated, and recorded

Implementation examples

Ex1: Use vulnerability management technologies to identify unpatched and misconfigured software
Ex2: Assess network and system architectures for design and implementation weaknesses that affect cybersecurity
Ex3: Review, analyze, or test organization-developed software to identify design, coding, and default configuration vulnerabilities
Ex4: Assess facilities that house critical computing assets for physical vulnerabilities and resilience issues
Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities in products and services
Ex6: Review processes and procedures for weaknesses that could be exploited to affect cybersecurity

Mapped NIST 800-53 r5 controls (10)

CA-02 CA-07 CA-08 RA-03 RA-05 SA-11(02)SA-15(07)SA-15(08)SI-04 SI-05

Mapped CWE weaknesses (4)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1051→P CWE-1256→P CWE-1277←P CWE-1357←P

All informative references (91)

AI-SOC: AI-SOC-21
AI-SOC: AI-SOC-15
CCMv4.0: AIS-05
CCMv4.0: AIS-07
CCMv4.0: TVM-01
CCMv4.0: TVM-03
CCMv4.0: TVM-05
CCMv4.0: TVM-06
CCMv4.0: TVM-07
CCMv4.0: TVM-08
CCMv4.0: TVM-09
CCMv4.0: TVM-10
CIS Controls v8.0: 7.1
CIS Controls v8.1: 7.1
CRI Profile v2.0: ID.RA-01
CRI Profile v2.0: ID.RA-01.01
CRI Profile v2.0: ID.RA-01.02
CRI Profile v2.0: ID.RA-01.03
CSF v1.1: ID.RA-1
CSF v1.1: PR.IP-12
CSF v1.1: DE.CM-8
CoP: A5
Guardian-SDK: GS-TT-01
Guardian-SDK: GS-TT-02
Guardian-SDK: GS-TT-03
Guardian-SDK: GS-TT-04
Guardian-SDK: GS-TT-14
Guardian-SDK: GS-TT-15
Guardian-SDK: GS-TT-16
IRP: IRP-Sec-2
IRP: IRP-Sec-2
IRP: IRP-Sec-2
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 8.8
NICE Framework: DD-WRL-005
NICE Framework: IO-WRL-006
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-013
NICE Framework: OG-WRL-014
NICE Framework: PD-WRL-007
OWASP Top 10 LLM Applications: LLM01-2025
OWASP Top 10 LLM Applications: LLM05-2025
OWASP Top 10 LLM Applications: LLM07-2025
OWASP Top 10 LLM Applications: LLM08-2025
PCI DSS: 11.3.1
PCI DSS: 11.3.2
PCI DSS: 6.3.1
PCI DSS: 11.4.4
PCI DSS: 6.3.2
SCF: IAO-01
SCF: IAO-02
SCF: IAO-05
SCF: RSK-04
SCF: TDA-09
SCF: VPM-01
SCF: VPM-06
SDOS: SDOS-AU-02
SDOS: SDOS-IN-01
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.11.02
SP 800-171 Rev 3: 03.12.01
SP 800-171 Rev 3: 03.12.03
SP 800-171 Rev 3: 03.14.03
SP 800-171 Rev 3: 03.14.06
SP 800-221A: MA.RI-3
SP 800-53 Rev 5.1.1: CA-02
SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: CA-08
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-05
SP 800-53 Rev 5.1.1: SA-11(02)
SP 800-53 Rev 5.1.1: SA-15(07)
SP 800-53 Rev 5.1.1: SA-15(08)
SP 800-53 Rev 5.1.1: SI-04
SP 800-53 Rev 5.1.1: SI-05
SP 800-53 Rev 5.2.0: CA-02
SP 800-53 Rev 5.2.0: CA-07
SP 800-53 Rev 5.2.0: CA-08
SP 800-53 Rev 5.2.0: RA-03
SP 800-53 Rev 5.2.0: RA-05
SP 800-53 Rev 5.2.0: SA-11(02)
SP 800-53 Rev 5.2.0: SA-15(07)
SP 800-53 Rev 5.2.0: SA-15(08)
SP 800-53 Rev 5.2.0: SI-04
SP 800-53 Rev 5.2.0: SI-05
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-14 Risk Assessment—System
SP-800-37 Rev 2: RMF Assess Step: TASK A-3 Control Assessments
SP-800-37 Rev 2: RMF Monitor Step: TASK M-1 System and Environment Changes
SP-800-37 Rev 2: RMF Monitor Step: TASK M-2 Ongoing Assessments
SSDF: PO.5.2

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).