OpenStack Platform 13 - Risk Assessment

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
RA-1 Risk Assessment Policy And Procedures

not applicable

RA-2 Security Categorization

not applicable

RA-3 Risk Assessment

not applicable

RA-4 Risk Assessment Update
RA-5 Vulnerability Scanning

not applicable

RA-5 (1) Update Tool Capability

planned

RA-5 (2) Update By Frequency / Prior To New Scan / When Identified

not applicable

RA-5 (3) Breadth / Depth Of Coverage

not applicable

RA-5 (4) Discoverable Information
RA-5 (5) Privileged Access

not applicable

RA-5 (6) Automated Trend Analyses

not applicable

RA-5 (7) Automated Detection And Notification Of Unauthorized Components
RA-5 (8) Review Historic Audit Logs

not applicable

RA-5 (9) Penetration Testing And Analyses
RA-5 (10) Correlate Scanning Information

not applicable

RA-6 Technical Surveillance Countermeasures Survey



RA-1: Risk Assessment Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and b. Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-defined frequency]; and 2. Risk assessment procedures [Assignment: organization-defined frequency].

RA-1 Control Response Information
Implementation Status:

not applicable

RA-1: What is the solution and how is it implemented?

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat OpenStack Platform.’




RA-2: Security Categorization

The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

RA-2 Control Response Information
Implementation Status:

not applicable

RA-2: What is the solution and how is it implemented?

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat OpenStack Platform.’




RA-3: Risk Assessment

The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

RA-3 Control Response Information
Implementation Status:

not applicable

RA-3: What is the solution and how is it implemented?

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat OpenStack Platform.’




RA-4: Risk Assessment Update

“[Withdrawn: Incorporated into RA-3].”

RA-4 Control Response Information
Implementation Status: