Request for technical assistance Please provide clarification on Publication 1075 Risk Assessment policy and procedures and the Safeguard Procedures Report (SPR). Specifically, is an agency responsible for creating its own policy and procedures or can this activity can be contracted out to a third party vendor? Response IRS Publication 1075 stipulates that agencies receiving Federal Tax Information (FTI) under Section 6103 of the Internal Revenue Code (IRC) implement computer security controls to protect the confidentiality and integrity of FTI. The NIST SP 800-53 Risk Assessment (RA) family controls are included in that requirement. The agency may choose to have a contractor develop its risk assessment policy and procedures, and can be involved in implementing those procedures, e.g., conducting risk assessment activities such as vulnerability scanning of information systems. While it is the case that a contractor can be used to assist with implementing RA controls, it is important to ensure that the agency works closely with the contractor to ensure the policy being developed is aligned with the agency’s overall mission and the requirements of Publication 1075. It is up to the agency to provide the contractor with the most complete and accurate information regarding their information systems so that ideal policy and procedures can be created. When creating Risk Assessment policy and procedures, it is important to address the five controls in the control family. These NIST SP 800-53 controls are listed below: Risk Assessment Policy and Procedures (RA-1) Develop, disseminate, and periodically review/update a formal, documented risk assessment policy and formal, documented procedures Procedures facilitate the implementation of the risk assessment policy and associated risk assessment controls. Policy must address: Purpose Scope Roles Responsibilities Management commitment Coordination among organizational entities Compliance Security Categorization (RA-2) Categorize the information system and the information processed, stored, or transmitted by the system and document the results in a system security plan Designated senior-level officials within the agency must review and approve the security categorizations Risk Assessment (RA-3) Conduct assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency Risk Assessment Update (RA-4) Update the risk assessment periodically (agency defined) or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security of accreditation status of the system Vulnerability Scanning (RA-5) Scan for vulnerabilities in the information system periodically (agency defined) or when significant new vulnerabilities potentially affecting the system are identified and reported Further guidance on Risk Assessments can be found by reviewing NIST SP 800-30, Risk Management Guide for Information Technology Systems, which provides a foundation for the development of an effective risk management program.