Risk assessment

Estimated reading time: 7 minutes

RA-1 Risk Assessment Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
  2. Reviews and updates the current:
    1. Risk assessment policy [Assignment: organization-defined frequency]; and
    2. Risk assessment procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

RA-2 Security Categorization

Description

The organization:

  1. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
  2. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
  3. Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

Control Information

Responsible role(s) - Organization

RA-3 Risk Assessment

Description

The organization:

  1. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
  2. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
  3. Reviews risk assessment results [Assignment: organization-defined frequency];
  4. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
  5. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control Information

Responsible role(s) - Organization

RA-5 Vulnerability Scanning

Description

The organization:

  1. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
  2. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Formatting checklists and test procedures; and
    3. Measuring vulnerability impact;
  3. Analyzes vulnerability scan reports and results from security control assessments;
  4. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
  5. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Control Information

Responsible role(s) - Organization

RA-5 (1) Update Tool Capability

Description

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Security Scanning (DSS) none
service provider hybrid
Docker Trusted Registry (DTR) none
service provider hybrid

Implementation Details

To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning (DSS) component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier can be used to scan Docker images for vulnerabilities against known vulnerability databases. Scans can be triggered either manually or when Docker images are pushed to DTR.
The Docker Security Scanning tool allows for the scanning of Docker images in Docker Trusted Registry against the Common Vulnerabilities and Exposures (CVE) dictionary.

RA-5 (2) Update By Frequency / Prior To New Scan / When Identified

Description

The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Security Scanning (DSS) none
service provider hybrid

Implementation Details

To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier compiles a bill of materials (BOM) for each Docker image that it scans. DSS is also synchronized to an aggregate listing of known vulnerabilities that is compiled from both the MITRE and NVD CVE databases. Additional information can be found at the following resources:

RA-5 (3) Breadth / Depth Of Coverage

Description

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Security Scanning (DSS) none
service provider hybrid
Docker Trusted Registry (DTR) none
service provider hybrid

Implementation Details

To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier identifies vulnerabilities in a Docker image and marks them against predefined criticality levels; critical major and minor.
The Docker Security Scanning tool allows for the scanning of Docker images in Docker Trusted Registry against the Common Vulnerabilities and Exposures (CVE).' dictionary

RA-5 (4) Discoverable Information

Description

The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions].

Control Information

Responsible role(s) - Organization

RA-5 (5) Privileged Access

Description

The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Security Scanning (DSS) none
service provider hybrid

Implementation Details

Only the appropriate users that the organization has provided Docker Trusted Registry access to are able to view and interpret vulnerability scan results.

RA-5 (6) Automated Trend Analyses

Description

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Security Scanning (DSS) none
service provider hybrid

Implementation Details

For each Docker image pushed to Docker Trusted Registry at a given time, Docker Security Scaninng retains a list of vulnerabilities detected. The DTR API can be queried to retrieve the vulnerability scan results over a period of time for a given Docker image such that the results can be compared per the requirements of this control.

RA-5 (8) Review Historic Audit Logs

Description

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Security Scanning (DSS) none
service provider hybrid

Implementation Details

Docker Security Scanning maintains a historical bill-of-materials (BOM) for all Docker images that are scanned. Results of previous vulnerability scans can be reviewed and audited per the requirements of this control.

RA-5 (10) Correlate Scanning Information

Description

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

Control Information

Responsible role(s) - Organization

RA-6 Technical Surveillance Countermeasures Survey

Description

The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]].

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Risk assessment