RA-4 — Risk Assessment Update

Risk assessments are not one-and-done. You must update them regularly and whenever significant changes occur — new systems, new threats, organizational changes, or after a security incident.

Example 1: Schedule risk assessment updates annually at minimum and trigger ad-hoc updates after: deployment of new systems, major infrastructure changes, significant security incidents, or when new threat intelligence reveals risks you had not previously considered. Document the trigger and the update in your risk register.

Example 2: After every vulnerability scan cycle (monthly or quarterly), review the findings against your current risk register. If new critical vulnerabilities appear, update the affected system's risk assessment and adjust the POA&M accordingly. Use Microsoft Defender Vulnerability Management to track these changes over time.