The organization: RA-3a.
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; RA-3b.
Documents risk assessment results in Selection: security plan; risk assessment report; Assignment: organization-defined document; RA-3c.
Reviews risk assessment results Assignment: organization-defined frequency; RA-3d.
Disseminates risk assessment results to Assignment: organization-defined personnel or roles; and RA-3e.
Updates the risk assessment Assignment: organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.