Link Search Menu Expand Document
NIST SP 800-37

RISK ANALYSIS AND DETERMINATION

TASK R-2

Analyze and determine the risk from the operation or use of the system or the provision of common controls.
Potential Inputs: Authorization package; supporting assessment evidence or other documentation as required; information provided by the senior accountable official for risk management or risk executive (function); organizational risk management strategy and risk tolerance; organization- and system-level risk assessment results.
Expected Outputs: Risk determination.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: The authorizing official or designated representative, in collaboration with the senior agency information security officer and the senior agency official for privacy (for information systems processing PII), analyzes the information in the authorization package provided by the control assessor, system owner, or common control provider, and finalizes the determination of risk. Further discussion with the control assessor, system owner, or common control provider may be necessary to help ensure a thorough understanding of risk by the authorizing official.

Risk assessments are employed to provide information99 that may influence the risk analysis and determination. The senior accountable official for risk management or risk executive (function) may provide additional information to the authorizing official that is considered in the final determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from either the operation or use of the system or the provision of common controls. The additional information may include, for example, organizational risk tolerance, dependencies among systems and controls, mission and business requirements, the criticality of the missions or business functions supported by the system, or the risk management strategy.

The authorizing official analyzes the information provided by the senior accountable official for risk management or risk executive (function) and information provided by the system owner or common control provider in the authorization package when making a risk determination. Any additional information provided by the senior accountable official for risk management or risk executive (function) is documented and included, to the extent it is relevant, as part of the authorization decision (see Task R-4). The authorizing official may also use an automated security/privacy management and reporting tool to annotate senior accountable official for risk management or risk executive (function) input.

When the system is operating under an ongoing authorization, the risk determination task is effectively unchanged. The authorizing official analyzes the relevant security and privacy information provided by the automated security/privacy management and reporting tool to determine the current security and privacy posture of the system.

References: [OMB A-130]; [SP 800-30]; [SP 800-39] (Organization, Mission/Business Process, and System Levels); [SP 800-137]; [SP 800-160 v1] (Risk Management Process); [IR 8062].

99 [SP 800-30] provides guidance on conducting security risk assessments. [IR 8062] provides information about privacy risk assessments and associated risk factors.