Sorry, you need to enable JavaScript to visit this website.


Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Risk Assessment Policy

Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023

1. Purpose

Specify the requirements for the conduct of periodic security risk assessments on the District of Columbia Government (hereafter known as District)’s information technology infrastructure to evaluate the District’s current security posture, identify gaps and determine appropriate corrective actions.

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at:

3. Applicability

This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.

4. Policy

4.1.  Security Categorization

District’s agencies must:

4.1.1. Categorize information and the system per applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

4.1.2. Document the security categorization results in the security plan for the information system.

4.1.3. Ensure the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

4.2.  Risk Assessments

District’s agencies must:

4.2.1. Conduct assessments of risks, including the likelihood and magnitude of the harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits.

4.2.2. Document risk assessment results in a Risk Assessment Report (RAR).

4.2.3. Review risk assessment results annually.

4.2.4. Disseminate risk assessment results to all agencies and relevant personnel.

4.2.5. Update the risk assessments at least annually or whenever there are significant changes to the system or environment of operation (including the identification of new threats and vulnerabilities) or other conditions that may impact the security state of the system.

4.3.  Risk Assessment | Supply Chain Risk Assessment

District’s agencies must:

4.3.1. Assess supply chain risks associated with the third-party supplied software, devices, system components, etc., and

4.3.2. Update the supply chain risk assessment annually, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

4.4.  Vulnerability Monitoring And Scanning

District’s agencies must:

4.4.1. Monitor and scan for vulnerabilities in all District owned systems hosted applications, and network devices annually or sooner due to system change, upgrades, etc., and when new vulnerabilities potentially affecting the system are identified and reported.

4.4.2. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

  • Enumerating platforms, software flaws, and improper configurations.
  • Formatting checklists and test procedures; and
  • Measuring vulnerability impact.

4.4.3. Analyze vulnerability scan reports and results from vulnerability monitoring.

4.4.4. Remediate legitimate vulnerabilities within the remediation timeline specified in the District’s Vulnerability Management Policy or according to an organizational assessment of risk;

4.4.5. Share information obtained from the vulnerability monitoring process and control assessments with the system owners to help eliminate similar vulnerabilities in other systems; and

4.4.6. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

4.5.  Vulnerability Scanning | Privileged Access

District agencies' information systems must implement privileged access authorization to all District agencies' systems for all vulnerability scanning activities.

4.6.  Risk Response

District agencies must have a documented guideline for responding to risk by developing a Risk Treatment methodology. Upon the delivery of a security and privacy assessment report, District agencies must ensure that an appropriate response to, or treatment of, the identified risk is determined before a plan of action and milestones entry is generated.

5. Exemptions

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.