RA-01 Risk Assessment Policy And Procedures

Last modified: May 22, 2026

Introduction

This document describes how Private Mendix Platform fulfills the RA-01 control.

Control ID RA-01
Control category RA - Risk Assessment
Requirement baseline FEDRAMP MODERATE
Responsibility and ownership Customer - Org

Control

The organization:

  • Develops, documents, and disseminates to organization-defined personnel or roles:

    • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
    • Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls

  • At organization-defined frequencies, reviews and updates the current:

    • Risk assessment policy
    • Risk assessment procedures.

Supplemental Guidance

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

The following controls are related to this control:

  • PM-9

For more information, refer to the NIST Special Publications 800-12, 800-30, and 800-100.

Responsibility

Customer Responsibility

The customer is responsible for implementing this control in an appropriate manner in their organization. This includes developing, documenting, and disseminating risk assessment policies and procedures for the Mendix solution to ensure compliance with federal requirements. The customer must ensure that risk assessment policies and procedures are documented, reviewed at organization-defined frequencies, and enforced within their environment.

Guidance

Customer Responsibility

This control is governed by NIST SP 800-53 Rev 5, NIST SP 800-12, NIST SP 800-30, NIST SP 800-100, and FIPS 200, which establish requirements for risk assessment policy and procedures in federal information systems. Customers operating within a FedRAMP or DoD SRG environment must develop and maintain comprehensive risk assessment policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with federal requirements.

To meet these requirements, the customer must carry out the following actions:

  • Develop and disseminate risk assessment policies and procedures.

    The customer must develop comprehensive risk assessment policies and procedures for the Mendix solution that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance requirements as specified in NIST SP 800-30 and NIST SP 800-100. These policies must be documented and disseminated to organization-defined personnel or roles, ensuring all stakeholders understand their responsibilities.

  • Collaborate with Implementation and Operations teams.

    Establish formal collaboration processes with Infra Implementer regarding the risk assessment policy and procedure impacts of the infrastructure and Private Mendix Platform, and with App Implementer regarding the risk assessment policy and procedure impacts of the Mendix App. The Customer must ensure these parties understand how their implementation decisions affect the overall risk assessment framework.

  • Maintain ongoing policy reviews and updates.

    Direct Infra Operator and App Operator to ensure ongoing collaboration on changes to the risk assessment policy and procedure impacts of the Mendix solution throughout its lifecycle. The Customer must establish organization-defined frequencies for reviewing and updating risk assessment policies and procedures, ensuring they remain aligned with the organizational risk management strategy and reflect changes in the threat landscape, federal requirements, and system environment.