Task 3-1: Conduct ongoing monitoring of the factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the Nation.
Supplemental Guidance: Organizations monitor risk factors of importance on an ongoing basis to ensure that the information needed to make credible, risk-based decisions continues to be available over time. Monitoring risk factors (e.g., threat sources and threat events, vulnerabilities and predisposing conditions, capabilities and intent of adversaries, targeting of organizational operations, assets, or individuals) can provide critical information on changing conditions that could potentially affect the ability of organizations to conduct core missions and business functions. Information derived from the ongoing monitoring of risk factors can be used to refresh risk assessments at whatever frequency deemed appropriate. Organizations can also attempt to capture changes in the effectiveness of risk response measures in order to maintain the currency of risk assessments. The objective is to maintain an ongoing situational awareness of the security state of the organizational governance structures and activities, mission/business processes, information systems, and environments of operation. The term security state is used broadly to encompass all factors that may affect the risk being incurred by organizations. Therefore, in applying the risk assessment context (i.e., scope, purpose, assumptions, constraints, risk tolerances, priorities, and trade-offs), organizations consider the part risk factors play in the risk response plan executed. For example, it is expected to be quite common for the security state of information systems (that is, factors measured within those systems) to reflect only a part of the organizational risk response, with response actions at the organization level or mission/business process level providing a significant portion of that response. In such situations, monitoring only the security state of information systems would likely not provide sufficient information to correlate with the overall risk being incurred by organizations. Highly capable, well-resourced, and purpose-driven threat sources can be expected to defeat commonly available protection mechanism (e.g., by bypassing or tampering with such mechanisms). Thus, process-level risk response measures such as reengineering mission/business processes, wise use of information technology, or the use of alternate execution processes, in the event of compromised information systems, can be major elements of organizational risk response plans.
Task 3-2: Update existing risk assessment using the results from ongoing monitoring of risk factors.
Supplemental Guidance: Organizations determine the frequency and the circumstances under which risk assessments are updated. Such determinations can include, for example, the current level of risk to and/or the importance of, core organizational missions/business functions. If significant changes (as defined by organizational policies, direction, or guidance) have occurred since the risk assessment was performed, organizations can revisit the purpose, scope, assumptions, and constraints of the assessment to determine whether all tasks in the risk assessment process need to be performed. Otherwise, the updates constitute differential or incremental risk assessments, identifying and assessing only how selected risk factors have changed, for example:
(i) the identification of new threat events, vulnerabilities, predisposing conditions, undesirable and/or affected assets; and
(ii) the assessments of threat source characteristics (e.g., capability, intent, targeting, and range of effects), likelihoods, and impacts.
Organizations communicate the results of updated risk assessments to entities across all risk management tiers to ensure that responsible organizational officials have access to critical information needed to make ongoing risk-based decisions.
