NIST CSF 2.0 · All Functions · ID Identify · ID.RA Risk Assessment

ID.RA-04

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Implementation examples

Ex1: Business leaders and cybersecurity risk management practitioners work together to estimate the likelihood and impact of risk scenarios and record them in risk registers
Ex2: Enumerate the potential business impacts of unauthorized access to the organization's communications, systems, and data processed in or by those systems
Ex3: Account for the potential impacts of cascading failures for systems of systems

Mapped NIST 800-53 r5 controls (6)

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357→P

All informative references (45)

AI-SOC: AI-SOC-21
AI-SOC: AI-SOC-17
CCMv4.0: A&A-05
CCMv4.0: BCR-02
CCMv4.0: CEK-06
CCMv4.0: CEK-07
CCMv4.0: CEK-20
CCMv4.0: TVM-09
CRI Profile v2.0: ID.RA-04
CRI Profile v2.0: ID.RA-04.01
CSF v1.1: ID.RA-4
CoP: A5
Guardian-SDK: GS-TT-06
Guardian-SDK: GS-TT-07
ISO/IEC 27001:2022: Mandatory Clause: 6.1.1
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
ISO/IEC 27001:2022: Annex A Controls: None
NICE Framework: IO-WRL-006
NICE Framework: OG-WRL-013
NICE Framework: OG-WRL-014
NICE Framework: PD-WRL-006
NICE Framework: PD-WRL-007
OWASP Top 10 LLM Applications: LLM01-2025
OWASP Top 10 LLM Applications: LLM02-2025
OWASP Top 10 LLM Applications: LLM09-2025
PCI DSS: 12.3.1
SDOS: SDOS-RM-01
SDOS: SDOS-RM-02
SP 800-171 Rev 3: 03.11.01
SP 800-221A: MA.RI-4
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-11
SP 800-53 Rev 5.1.1: RA-02
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-08
SP 800-53 Rev 5.1.1: RA-09
SP 800-53 Rev 5.2.0: PM-09
SP 800-53 Rev 5.2.0: PM-11
SP 800-53 Rev 5.2.0: RA-02
SP 800-53 Rev 5.2.0: RA-03
SP 800-53 Rev 5.2.0: RA-08
SP 800-53 Rev 5.2.0: RA-09
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-14 Risk Assessment—System

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).