OpenShift Container Platform 3.x - Risk Assessment

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
RA-1 Risk Assessment Policy And Procedures

not applicable

RA-2 Security Categorization

not applicable

RA-3 Risk Assessment

not applicable

RA-4 Risk Assessment Update
RA-5 Vulnerability Scanning

not applicable

RA-5 (1) Update Tool Capability
RA-5 (2) Update By Frequency / Prior To New Scan / When Identified
RA-5 (3) Breadth / Depth Of Coverage
RA-5 (4) Discoverable Information
RA-5 (5) Privileged Access
RA-5 (6) Automated Trend Analyses
RA-5 (7) Automated Detection And Notification Of Unauthorized Components
RA-5 (8) Review Historic Audit Logs
RA-5 (9) Penetration Testing And Analyses
RA-5 (10) Correlate Scanning Information
RA-6 Technical Surveillance Countermeasures Survey



RA-1: Risk Assessment Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and b. Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-defined frequency]; and 2. Risk assessment procedures [Assignment: organization-defined frequency].

RA-1 Control Response Information
Implementation Status:

not applicable

RA-1: What is the solution and how is it implemented?

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of OpenShift.’




RA-2: Security Categorization

The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

RA-2 Control Response Information
Implementation Status:

not applicable

RA-2: What is the solution and how is it implemented?

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of OpenShift.’




RA-3: Risk Assessment

The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

RA-3 Control Response Information
Implementation Status:

not applicable

RA-3: What is the solution and how is it implemented?

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of OpenShift.’




RA-4: Risk Assessment Update

“[Withdrawn: Incorporated into RA-3].”

RA-4 Control Response Information
Implementation Status:
RA-4: What is the solution and how is it implemented?
This control has not been evaluated in the context of OpenShift Container Platform 3.x.



RA-5: Vulnerability Scanning

The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

RA-5 Control Response Information
Implementation Status: