Tier 3 - Information System View

Tier 3 Risk management overview

Key Risk Management Activities at Tier 3

Tier 3 addresses risk from an information system perspective and is guided by the risk context, risk decisions and risk activities at Tiers 1 and 2.

Tier 3 risk management activities include:

Categorizing organizational information systems;
Allocating security controls to organizational information systems and the environments in which those systems operate consistent with the organization’s established enterprise architecture and embedded information security architecture; and
Managing the selection, implementation, assessment, authorization, and ongoing monitoring of allocated security controls as part of a disciplined and structured system development life cycle process implemented across the organization.

Roles and Responsibilities at Tier 3

At Tier 3, information system owners, common control providers, system and security engineers, and information system security officers make risk-based decisions regarding the implementation, operation, and monitoring of organizational information systems.

Risk-Based Decisions and Authorizations

Based on these day-to-day operational risk based decisions, authorizing officials make follow-on risk-based decisions on whether or not the information systems are initially authorized to operate within the designated environments of operation or continue to receive authorization to operate on an ongoing basis.

Feedback to Tiers 1 and 2

These ongoing risk based decisions are informed by the risk management process with guidance from the risk executive (function) and the various architectural considerations supporting the mission/business processes. In addition, the activities at Tier 3 provide essential feedback to Tiers 1 and 2. New vulnerabilities discovered in an organizational information system, for example, may have systemic implications that extend organization-wide.

Those same vulnerabilities may trigger changes to the enterprise architecture and embedded information security architecture or may require an adjustment to the organizational risk tolerance.

System Development Life Cycle

Integration of Risk Management into the SDLC

All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle (SDLC).

In addition to the risk management activities carried out at Tier 1 and Tier 2 (e.g., reflecting the organization’s risk management strategy within the enterprise architecture and embedded information security architecture), risk management activities are also integrated into the SDLC at Tier 3. These activities occur at every phase of the SDLC, with each phase's outputs influencing the subsequent phases.

Risk Management Strategy Alignment

The risk management activities at Tier 3 align with the organization’s risk management strategy and address risks related to cost, schedule, and performance requirements for individual information systems that support mission/business functions.

Initiation Phase Risk Assessments

The Tier 2 context and the SDLC determine the purpose and define the scope of risk assessment activities at Tier 3.

While initial risk assessments (i.e., risk assessments performed for the first time, rather than updating prior risk assessments) can be performed at any phase of the SDLC, they should be performed in the Initiation phase.

In the Initiation phase, risk assessments evaluate the anticipated vulnerabilities and predisposing conditions affecting the confidentiality, integrity, and availability of information systems in the context of their planned environments of operation. These assessments inform risk response, enabling information system owners abd program managers, in collaboration with mission/business owners to make the final decisions about the security controls necessary based on the security categorization and the operational environment.

Risk Assessments in Later Phases

Risk assessments are also conducted at later phases of the SDLC, updating risk assessment results from earlier phases.

These risk assessment results for as-built or as-deployed information systems typically include

Descriptions of vulnerabilities in the systems,
An assessment of the risks associated with each vulnerability (thereby updating the assessment of vulnerability severity), and
Corrective actions that can be taken to mitigate the risks.

Overall Risk Assessment

These results also include an assessment of the overall risk to the organization and the information contained in the information systems by operating the systems as evaluated.

Communication of Risk Assessment Results

Risk assessment results at Tier 3 are communicated to organizational entities at Tier 1 and Tier 2.The risk assessment

(Sources: NIST SP 800-30, NIST SP 800-39)

Tier 3 Risk management overview​

Key Risk Management Activities at Tier 3​

Roles and Responsibilities at Tier 3​

Risk-Based Decisions and Authorizations​

Feedback to Tiers 1 and 2​

System Development Life Cycle​

Integration of Risk Management into the SDLC​

Risk Management Strategy Alignment​

Initiation Phase Risk Assessments​

Risk Assessments in Later Phases​

Overall Risk Assessment​

Communication of Risk Assessment Results​