The scope of the risk assessment can be at any of the three tiers
in the risk management hierarchy (i.e., organization, mission/business process, or
system), or the scope can be
limited to certain portions of the system. Identify scope of assessment including
boundaries and intended mission(s)
the system is designed to support
Source: CNSSI-1254 appendix C RAR Data elements #3, NIST SP 800-30