Risk Assessment Report Write a comprehensive risk assessment report, using the?Risk Assessment Reports Template?as a guide. You will complete three different sections of this report over th

· List the date of the risk assessment.

· Summarize the purpose of the risk assessment.

· Describe the scope of the risk assessment.

· For Tier 1 and Tier 2 risk assessments, identify: organizational governance structures or processes associated with the assessment (e.g., risk executive [function], budget process, acquisition process, systems engineering process, enterprise architecture, information security architecture, organizational missions/business functions, mission/business processes, information systems supporting the mission/business processes).

· For Tier 3 risk assessments, identify: the information system name and location(s), security categorization, and information system (i.e., authorization) boundary.

· State whether this is an initial or subsequent risk assessment. If a subsequent risk assessment, describe the circumstances that prompted the update and include a reference to the previous Risk Assessment Report.

· Describe the overall level of risk (e.g., Very Low, Low, Moderate, High, or Very High).

· List the number of risks identified for each level of risk (e.g., Very Low, Low, Moderate, High, or Very High).

2. Body of the Report: Part 1

Include the following:

· How the use of a specific information technology would potentially change the risk to organizational missions/business functions if employed in information systems supporting those missions/business functions; or

· How the risk assessment results are to be used in the context of the RMF (e.g., an initial risk assessment to be used in tailoring security control baselines and/or to guide and inform other decisions and serve as a starting point for subsequent risk assessments; subsequent risk assessment to incorporate results of security control assessments and inform authorization decisions; subsequent risk assessment to support the analysis of alternative courses of action for risk responses; subsequent risk assessment based on risk monitoring to identify new threats or vulnerabilities; subsequent risk assessments to incorporate knowledge gained from incidents or attacks).

· Identify assumptions and constraints.

· Describe risk tolerance inputs to the risk assessment (including the range of consequences to be considered).

· Identify and describe the risk model and analytic approach; provide a reference or include as an appendix, identifying risk factors, value scales, and algorithms for combining values.

· Provide a rationale for any risk-related decisions during the risk assessment process.

· Describe the uncertainties within the risk assessment process and how those uncertainties influence decisions.

3. Body of the Report: Part 2

Include the following:

· If the risk assessment includes organizational missions/business functions, describe the missions/functions (e.g., mission/business processes supporting the missions/functions, interconnections and dependencies among related missions/business functions, and information technology that supports the missions/business functions).

· If the risk assessment includes organizational information systems, describe the systems (e.g., missions/business functions the system is supporting, information flows to/from the systems, and dependencies on other systems, shared services, or common infrastructures).

· Summarize risk assessment results (e.g., using tables or graphs), in a form that enables decision makers to quickly understand the risk (e.g., number of threat events for different combinations of likelihood and impact, the relative proportion of threat events at different risk levels).

· Identify the time frame for which the risk assessment is valid (i.e., time frame for which the assessment is intended to support decisions).