>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

500.9(a)500.9(a)

>Control Description

Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. The covered entity’s risk assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the covered entity’s business operations related to cybersecurity, nonpublic information collected or stored, information systems utilized and the availability and effectiveness of controls to protect nonpublic information and information systems.

>Cross-Framework Mappings

SCF

RSK-01
Compare
RSK-04
Compare
RSK-04.1
Compare
RSK-07
Compare

Ask AI

Configure your API key to use AI features.