RAR Template 07112007 3 
Controlled Unclassified
Information
(CUI)
(When Filled IN)
Centers for Disease Control and Prevention
<System Name>
Draft Risk Assessment Report
Submitted to Tom Madden, CISO
DHHS/CDC/CIO/OCISO
4770 Buford Highway K-81
Atlanta, GA 30329
Submitted: , 2007
Version Control
Date
Author
Version
EXECUTIVE SUMMARY
The Centers for Disease Control and Prevention (CDC) recognizes the best, most up-to-date health information is without value unless it is pertinent and accessible to the people it is meant to serve. Lockheed Martin Information Technology has been tasked to conduct a risk assessment of the <System Name and Acronym> for the purpose of certification and accreditation (C&A) of <System Name> under DHHS Information Security Program Policy. This Risk Assessment Report, in conjunction with the System Security Plan, assesses the use of resources and controls to eliminate and/or manage vulnerabilities that are exploitable by threats internal and external to CDC. The successful completion of the C&A process results in a formal Authorization to Operate of <System Name>.
The scope of this risk assessment effort was limited to the security controls applicable to the <System Name> system’s environment relative to its conformance with the minimum DHHS Information Technology Security Program: Baseline Security Requirements Guide. These baseline security requirements address security controls in the areas of computer hardware and software, data, operations, administration, management, information, facility, communication, personnel, and contingency.
The <System Name> risk assessment was conducted in accordance with the methodology described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. The methodology used to conduct this risk assessment is qualitative, and no attempt was made to determine any annual loss expectancies, asset
Information
(CUI)
(When Filled IN)
Centers for Disease Control and Prevention
<System Name>
Draft Risk Assessment Report
Submitted to Tom Madden, CISO
DHHS/CDC/CIO/OCISO
4770 Buford Highway K-81
Atlanta, GA 30329
Submitted: , 2007
Version Control
Date
Author
Version
EXECUTIVE SUMMARY
The Centers for Disease Control and Prevention (CDC) recognizes the best, most up-to-date health information is without value unless it is pertinent and accessible to the people it is meant to serve. Lockheed Martin Information Technology has been tasked to conduct a risk assessment of the <System Name and Acronym> for the purpose of certification and accreditation (C&A) of <System Name> under DHHS Information Security Program Policy. This Risk Assessment Report, in conjunction with the System Security Plan, assesses the use of resources and controls to eliminate and/or manage vulnerabilities that are exploitable by threats internal and external to CDC. The successful completion of the C&A process results in a formal Authorization to Operate of <System Name>.
The scope of this risk assessment effort was limited to the security controls applicable to the <System Name> system’s environment relative to its conformance with the minimum DHHS Information Technology Security Program: Baseline Security Requirements Guide. These baseline security requirements address security controls in the areas of computer hardware and software, data, operations, administration, management, information, facility, communication, personnel, and contingency.
The <System Name> risk assessment was conducted in accordance with the methodology described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. The methodology used to conduct this risk assessment is qualitative, and no attempt was made to determine any annual loss expectancies, asset