SV-42878r3_rule
V-32541
Risk Assessment -Holistic Review (site/environment/information systems)
PH-02.02.01
CAT II
10
1.Ensure there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment.
2. Ensure the RA is revalidated/updated at least annually.
3. Ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the AOs for resident system(s), signifying acceptance of any residual risk.
NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document.
NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.
NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others.
NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA.
NOTE 5: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance.
Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk.
The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation.
NOTE 6: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.
1. Check that there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment.
2. Check to ensure the RA is revalidated/updated at least annually.
3. Check to ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the Authorizing Officials (AOs) for resident system(s), signifying acceptance of any residual risk.
NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document.
NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.
NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others.
NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA.
NOTE 5: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program.
NOTE 6: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance.
Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk.
The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation.
NOTE 7: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/ or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.
TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.
V-32541
False
PH-02.02.01
1. Check that there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment.
2. Check to ensure the RA is revalidated/updated at least annually.
3. Check to ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the Authorizing Officials (AOs) for resident system(s), signifying acceptance of any residual risk.
NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document.
NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.
NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others.
NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA.
NOTE 5: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program.
NOTE 6: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance.
Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk.
The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation.
NOTE 7: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/ or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.
TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.
M
2506