Risk Assessment
The organization conducts a risk assessment to understand the cyber security risk to organizational operations (including mission, functions, image, or reputation), organizational assets, vendors, and individuals.
A Risk Assessment, often employs NIST SP 800-53A to evaluate the information system security controls for effectiveness using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security objectives and requirements for the system.