Analyze Cyber Risk

MIL1 requirements
a. Cyber risks are prioritized based on estimated impact, at least in an ad hoc manner

MIL2 requirements
b. Defined criteria are used to prioritize cyber risks (for example, impact to the organization, impact to the community, likelihood, susceptibility, risk tolerance)
c. A defined method is used to estimate impact for higher priority cyber risks (for example, comparison to actual events, risk quantification)
d. Defined methods are used to analyze higher priority cyber risks (for example, analyzing the prevalence of types of attacks to estimate likelihood, using the results of controls assessments to estimate susceptibility)
e. Organizational stakeholders from appropriate operations and business functions participate in the analysis of higher priority cyber risks
f. Cyber risks are removed from the risk register or other artifact used to document and manage identified risks when they no longer require tracking or response

MIL3 requirements
g. Cyber risk analyses are updated periodically and according to defined triggers, such as system changes, external events, and information from other model domains