RA stands for which management control?

Risk assessment is the management control focused on identifying, analyzing, and prioritizing risks to an information system and its operations, assets, and people. In FISMA and NIST terms, this step determines what protections are needed by evaluating the likelihood of threats and the severity of their potential impact. The results guide which security controls to implement, how to allocate resources, and how to monitor risk over time, making it the foundational process for informed decision‑making about protection measures. Certification, Accreditation & Security Assessments describe the process of verifying that controls are in place and authorizing operation, which comes after risk assessment rather than being the risk-evaluation step itself. Planning is about organizing tasks and objectives, not the act of assessing risk. Systems & Services Acquisition concerns obtaining IT resources, not evaluating risk levels.