03.11.04: Risk Response
Control Familly: Risk Assessment
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-30 [55]
SP 800-37 [59]
SP 800-39 [60]
SP 800-160-1 [11]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.11.04
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
RA-07
Respond to findings from security assessments, monitoring, and audits.
Discussion:
This requirement addresses the need to determine an appropriate response to risk before generating a plan of action and milestones (POAM) entry. It may be possible to mitigate the risk immediately so that a POAM entry is not needed. However, a POAM entry is generated if the risk response is to mitigate the identified risk and the mitigation cannot be completed immediately.
Assessment Methods and Objectives
Examine [SELECT FROM: risk assessment policy; assessment reports; system audit records; event logs; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with assessment and auditing responsibilities; system administrators; personnel with security responsibilities]
Test [SELECT FROM: processes for assessments and audits; mechanisms and tools supporting or implementing assessments and auditing]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.11.04[01]: findings from security assessments are responded to.
A.03.11.04[02]: findings from security monitoring are responded to.
A.03.11.04[03]: findings from security audits are responded to.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A