UAF13 — Non-Security Risks

The EA Guide and the formal UAF documents suggest that UAF can be used to capture non-security risks at various levels of abstraction of the AD. The view specifications and UAFML limit the mitigation of a risk to a security control. It appears that an operational or resource mitigation should be elements that are able to mitigate a risk. The current metamodel only allows risks to affect those elements. Some rework in this area would improve the ability to capture non-security risks for ADs. Please see attached pdf for additional information.