Read section $3\mathrm{.}1,$ step $1.$ Tas $1-1$: Identify Purpose.

Describe the purpose of this risk assessment.

$3\mathrm{.}1$ PREPARING FOR THE RISK ASSESSMENT

The first step in the risk assessment process is to prepare for the assessment. The objective of this

step is to establish a context for the risk assessment. This context is established and informed by

the results from the risk framing step of the risk management process. Risk framing identifies, for

example, organizational information regarding policies and requirements for conducting risk

assessments, specific assessment methodologies to be employed, procedures for selecting risk

factors to be considered, scope of the assessments, rigor of analyses, degree of formality, and

requirements that facilitate consistent and repeatable risk determinations across the organization.

Organizations use the risk management strategy to the extent practicable to obtain information to

prepare for the risk assessment. Preparing for a risk assessment includes the following tasks:

$$ Identify the purpose of the assessment;

$$ Identify the scope of the assessment;

$$ Identify the assumptions and constraints associated with the assessment;

$$ Identify the sources of information to be used as inputs to the assessment; and

$$ Identify the risk model and analytic approaches $($i$.$e$.,$ assessment and analysis approaches$)$ to

be employed during the assessment.

STEP $1$: PREPARE FOR THE ASSESSMENT

IDENTIFY PURPOSE

TASK $1-1$: Identify the purpose of the risk assessment in terms of the information that the assessment is

intended to produce and the decisions the assessment is intended to support.

Supplemental Guidance: The purpose of the risk assessment is explicitly stated in sufficient detail to ensure that the

assessment produces the appropriate information and supports the intended decisions. Organizations can provide

guidance on how to capture and present information produced during the risk assessment $($e$.$g$.,$ using a defined

organizational template$).$ Appendix K provides an exemplary template for a risk assessment report or the preferred

vehicle for risk communication. At Tier $3,$ risk assessments support: $($i$)$ authorization$-$related decisions throughout the

system development life cycle; $($ii$)$ reciprocity, particularly for reuse of assessment information; $($iii$)$ risk management

activities at Tier $2$; and $($iv$)$ programmatic risk management activities throughout the system development life cycle. At

Tier $2,$ risk assessments enable organizations to: $($i$)$ understand dependencies and ways in which risks are accepted,

rejected, shared, transferred, or mitigated among information systems that support organizational mission$/$business

processes; $($ii$)$ support architectural and operational decisions for organizational risk responses $($e$.$g$.,$ reducing

dependencies, limiting connectivity, enhancing or focusing monitoring, and enhancing information$/$system resiliency$)$;

$($iii$)$ identify trends, so that proactive risk response strategies and courses of action for mission$/$business processes can

be defined; and $($iv$)$ support reciprocity, particularly to enable information sharing. At Tier $1,$ risk assessments: $($i$)$

support the risk executive $($function$)$; and $($ii$)$ serve as a key input to the risk management strategy. In addition to these

common purposes, risk assessments may have a very specific purpose, to answer a specific question $($e$.$g$.,$ What are the

risk implications of a newly discovered vulnerability or class of vulnerabilities, allowing new connectivity, outsourcing

a specific function, or adopting a new technology?$).$ Risk assessment results from all tiers can be used by organizations

to inform the acquisition process by helping to ensure information security requirements are clearly specified.

The purpose of the risk assessment is influenced by whether the assessment is: $($i$)$ an initial assessment; or $($ii$)$ a

subsequent assessment initiated from the risk response or monitoring steps in the risk management process. For initial

assessments, the purpose can include, for example: $($i$)$ establishing a baseline assessment of risk; or $($ii$)$ identifying

threats and vulnerabilities, impacts to organizational operations and assets, individuals, other organizations, and the

Nation, and other risk factors to be tracked over time as part of risk monitoring. For a reassessment initiated from the

risk response step, the purpose can include, for example, providing a comparative analysis of alternative risk responses

or answering a specific question $($see discussion of targeted risk assessments above$).$ Alternatively, for a reassessment

initiated from the risk monitoring step, the purpose can include, for example, updating the risk assessment based on: $($i$)$

ongoing determinations of the effectiveness of security controls in organizational information systems or environments

of operation; $($ii$)$ changes to information systems or environments of operation $($e$.$g$.,$ changes to hardware, firmware,

software; changes to sys