GRCWatch
Sign inStart free trial

NIST ID.RA-3: Threat Identification and Documentation

Identifying threats—both internal and external—is foundational to any cybersecurity program. NIST ID.RA-3 requires your organization to systematically discover, catalog, and document threats that could impact your assets and operations. Without this visibility, you're flying blind when it comes to risk prioritization and resource allocation.

What this means

ID.RA-3 mandates that your organization establish and maintain a documented process for identifying threats from both outside attackers and internal sources. This includes monitoring threat landscapes, conducting asset inventories, understanding adversary behaviors, and documenting findings in a centralized repository. The goal is to ensure every team member understands what threats exist and why they matter to the organization.

How to comply

  1. 1.Establish a threat identification process that covers external threats (attackers, nation-states, competitors) and internal threats (disgruntled employees, negligent users, compromised credentials).
  2. 2.Conduct regular threat assessments and stay updated on emerging threats relevant to your industry and technology stack.
  3. 3.Document all identified threats with context: threat actor, attack vectors, affected assets, and potential impact.
  4. 4.Create a threat register or risk log and make it accessible to stakeholders who need to understand organizational risk.
  5. 5.Review and update threat documentation at least quarterly or when significant changes occur in your environment.
  6. 6.Integrate threat intelligence from industry sources, vendor advisories, and security research into your threat identification process.

Evidence auditors look for

  • Documented threat assessment reports with identified internal and external threats
  • Threat register listing all known threats, sources, attack vectors, and risk ratings
  • Evidence of threat intelligence subscriptions or monitoring tools (e.g., security advisory feeds)
  • Meeting minutes from risk or security committees discussing threat identification
  • Asset inventory linked to threat mappings showing which assets face which threats
  • Incident reports and near-miss documentation showing real-world threats discovered
  • Proof of quarterly threat landscape reviews and updates to threat documentation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates threat identification workflows by centralizing threat data from multiple sources, automatically mapping threats to your assets, and maintaining an audit-ready threat register—eliminating manual spreadsheet chaos and ensuring ID.RA-3 compliance stays current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ID.RA-1 Asset InventoryID.RA-2 Business Environment AnalysisID.RA-4 Potential Business Impact AnalysisID.RA-5 Threats, Vulnerabilities, and Likelihood Analysis