Risk Assessment Report (RAR)

A Risk Assessment Report (RAR) is a formal document that identifies and evaluates the security risks facing an information system. It catalogs threats, vulnerabilities, the likelihood of exploitation, and the potential impact if a security incident occurs. The RAR provides the Authorizing Official with a clear picture of the risk landscape.

The RAR is a required artifact in the RMF process. It goes beyond listing technical vulnerabilities — it contextualizes risks in terms of mission impact, helping decision-makers understand not just what could go wrong, but what it would mean for operations if it did.

Why It Matters

A well-written RAR helps your AO make informed decisions quickly. Presenting risks in terms of business and mission impact — rather than just technical severity — demonstrates mature risk management and builds confidence in your security program.

Related Resources

CMMC: IA.L2-3.5.9
NIST 800-171: 3.5.9
NIST 800-53: AC-2(2)
NIST 800-53: CM-5(6)
NIST 800-53: SA-8(10)
NIST 800-53: SA-8(12)