Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family RA

RA-3Risk Assessment

Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; Document risk assessment results in {{ insert: param, ra-03_odp.01 }}; Review risk assessment results {{ insert: param, ra-03_odp.03 }}; Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 23 mapping(s) from 1 framework(s): CSF 2.0 23 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-200Exposure of Sensitive Information to an Unauthorized Actor10,501Explicit evaluation of disclosure risks from sensitive data processing drives controls that reduce exposure to unauthorized actors.
CWE-284Improper Access Control5,367Risk assessment explicitly identifies threats from unauthorized access and drives decisions to implement or strengthen access control mechanisms.
CWE-287Improper Authentication4,908Assessment of authentication-related threats and vulnerabilities leads to remediation of missing or weak authentication controls.
CWE-306Missing Authentication for Critical Function2,820Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Assessment of system vulnerabilities includes permission and privilege misconfigurations that enable unauthorized resource access.
CWE-285Improper Authorization1,356The control requires determining likelihood and impact of unauthorized actions, directly surfacing and mitigating authorization weaknesses.
CWE-693Protection Mechanism Failure613Periodic review of protection effectiveness against identified threats directly addresses failures in security mechanisms.
CWE-359Exposure of Private Personal Information to an Unauthorized Actor190The control specifically requires assessing adverse effects from PII processing, directly mitigating privacy-related information exposure.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family RA

RA-1 RA-10 RA-2 RA-4 RA-5 RA-6 RA-7 RA-8 RA-9