ID.RA — Risk Assessment
The cybersecurity risk to the organization, assets, and individuals is understood by the organization
ID.RA-01
Vulnerabilities in assets are identified, validated, and recorded
ID.RA-02
Cyber threat intelligence is received from information sharing forums and sources
ID.RA-03
Internal and external threats to the organization are identified and recorded
ID.RA-04
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
ID.RA-05
Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
ID.RA-06
Risk responses are chosen, prioritized, planned, tracked, and communicated
ID.RA-07
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
ID.RA-08
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
ID.RA-09
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
ID.RA-10
Critical suppliers are assessed prior to acquisition
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).