Back
Risk Report
NIST SP 800-37 (RMF)
NIST SP 800-37 (RMF)IdentifyGovern

Risk Assessment & Reporting

Consolidated risk scoring, register management, and NIST RMF reporting

RA-3, PM-9, CA-5NIST 800-30, FIPS 199

Overview

The Risk Assessment & Reporting skill serves as the central aggregation point for all audit findings. It imports structured output from the other five skills, scores risks using the NIST 800-30 5×5 likelihood-impact matrix, maintains a prioritized risk register, and generates consolidated reports with Plans of Action & Milestones (POA&M). This skill implements the NIST Risk Management Framework (RMF) as defined in SP 800-37.

Prerequisites

Python 3.8+ standard library
Output files from other audit skills (JSON/Markdown)
Understanding of NIST 800-30 risk scoring methodology
Organizational risk tolerance definitions

Capabilities

Automated import from network-vuln-scanner and penetration-testing JSON
Manual risk entry from config, policy, and IR audit findings
NIST 800-30 5×5 risk matrix scoring (Likelihood × Impact)
Risk register management with unique IDs and tracking
Severity classification (Critical: 20-25, High: 12-19, Medium: 6-11, Low: 1-5)
Treatment tracking (mitigate, accept, transfer, avoid)
POA&M generation with milestones and deadlines
Consolidated Markdown report with executive summary

Usage Guide

1

Initialize the Risk Assessment Project

Create a new risk assessment project that will aggregate findings from all audit phases.

bash
python3 risk_report.py init \
  --name 'Q1-2026 Enterprise Audit' \
  --assessor 'Gaby - Regional IT Director'
2

Import Automated Findings

Import structured JSON output from network scanning and penetration testing skills.

bash
# Import network scan findings
python3 risk_report.py import-findings \
  --project Q1-2026 \
  --file /reports/network_scan.json

# Import pen-test findings
python3 risk_report.py import-findings \
  --project Q1-2026 \
  --file /reports/pentest_findings.json
3

Add Manual Risk Entries

Add risks identified from config audit, policy audit, and IR audit that require manual scoring.

bash
python3 risk_report.py add-risk \
  --project Q1-2026 \
  --title 'Weak Password Policy' \
  --source config-audit \
  --likelihood 4 --impact 4 \
  --control IA-5 \
  --treatment mitigate
4

Generate Consolidated Report

Produce the final risk assessment report with risk register, heat map data, and POA&M.

bash
python3 risk_report.py generate \
  --project Q1-2026 \
  --output /reports/risk_assessment.md

CLI Commands

Create a new risk assessment project.

bash
python3 risk_report.py init --name 'Enterprise Audit' --assessor 'Gaby'
Expected Output
Risk Assessment Project initialized
Project: Enterprise Audit
Assessor: Gaby
Directory: ./risk_projects/enterprise-audit/

Sample Outputs

Risk Register

markdown
# Consolidated Risk Assessment Report
**Project:** Q1-2026 Enterprise Audit
**Assessor:** Gaby — Regional IT Director
**Framework:** NIST SP 800-37 (RMF) / NIST SP 800-30

## Risk Register
| ID | Risk | Severity | Score | Source | NIST Control | Treatment |
|----|------|----------|-------|--------|-------------|-----------|
| RISK-002 | SQL Injection in Login | CRITICAL | 25 | Pen Test | SI-10 | Mitigate |
| RISK-005 | Default Admin Creds | CRITICAL | 25 | Pen Test | IA-5 | Mitigate |
| RISK-001 | VNC Port Exposed | HIGH | 16 | Net Scan | SC-7 | Mitigate |
| RISK-003 | XSS in Search | HIGH | 16 | Pen Test | SI-10 | Mitigate |

## Risk Distribution
- Critical (20-25): 2 risks — Immediate action required
- High (12-19): 7 risks — 30-day mitigation plan
- Medium (6-11): 2 risks — 90-day remediation cycle
- Low (1-5): 0 risks

POA&M Excerpt

markdown
## Plan of Action & Milestones (POA&M)
| Risk ID | Action Item | Responsible | Deadline | Status |
|---------|------------|-------------|----------|--------|
| RISK-002 | Implement parameterized queries | Dev Team | 2026-03-15 | Open |
| RISK-005 | Change default credentials, enable MFA | IT Ops | 2026-03-08 | Open |
| RISK-001 | Restrict VNC via firewall, require VPN | NetOps | 2026-03-22 | Open |

NIST Control Mappings

RA-3
Risk Assessment
Risk Assessment

Conduct an assessment of risk, including the likelihood and magnitude of harm.

PM-9
Risk Management Strategy
Program Management

Develop a comprehensive strategy to manage risk to organizational operations and assets.

CA-5
Plan of Action and Milestones
Assessment, Authorization, and Monitoring

Develop a plan of action and milestones for the system to document planned remedial actions.

RA-2
Security Categorization
Risk Assessment

Categorize information and the system in accordance with applicable laws and policies.

Best Practices

Import findings from all audit skills to ensure comprehensive risk coverage
Use consistent scoring criteria across all risk entries
Review and update the risk register after each audit cycle
Assign clear ownership and deadlines for every POA&M item
Present the risk register to executive leadership for risk acceptance decisions
Track risk treatment progress and re-assess residual risk quarterly

Limitations

Risk scoring is based on the NIST 800-30 matrix — organizational context may require adjustments
POA&M deadlines are suggested defaults and should be customized
Cannot automatically verify that remediation actions have been completed
Requires manual input for risks from config, policy, and IR audits
Back to DashboardNIST SP 800-115 / 800-53 / CSF 2.0 / 800-61 / 800-37