Comprehensive Risk Assessment Guidance for Federal Information Systems Published

Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to its original 2002 publication, is the authoritative source of comprehensive risk assessment guidance for federal information systems, and is open for public comments through November 4.

"Risk assessments can help federal agencies effectively evaluate the current threat, organizational and information system vulnerabilities, potential adverse impacts to core missions and business operations—using the results to determine appropriate risk responses," said NIST Fellow Ron Ross.

Overall guidance on risk management for information systems is now covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March.* The updated SP 800-30 now focuses exclusively on risk assessments, one of the four steps in risk management, says Ross.

As threats to computer systems grow more complex and sophisticated, risk assessments are an important tool for organizations to rely on as part of a comprehensive risk management program Ross explains. Risk assessments help organizations:

  • determine the most appropriate risk responses to ongoing cyber attacks or threats stemming from man-made or natural disasters;
  • guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image and reputation), organizational assets, individuals, other organizations and the nation; and
  • maintain ongoing situational awareness of the security state of an organization's information systems and the environments in which those systems operate.


The guidance in the revised publication has been significantly expanded to include more information on a variety of risk factors essential to determining information security risk, such as threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence. The publication describes a three-step process to help organizations prepare for risk assessments, successfully conduct risk assessments and keep assessment results up to date.

Guide for Conducting Risk Assessments also describes how to apply the risk assessment process at the three tiers of the risk management hierarchy outlined in Special Publication 800-39. Sample templates, tables and assessment scales for common risk factors are provided for users to adapt to their own organizational risk assessments based on the purpose, scope, assumptions, and constraints of the assessments.

Guide for Conducting Risk Assessments is the fifth guideline developed for the unified information security framework under the direction of the Joint Task Force, a joint partnership among the Department of Defense, the intelligence community, NIST and the Committee on National Security Systems. The task force will continue to collaborate on protecting federal information systems and the nation's critical information infrastructure.

Guide for Conducting Risk Assessments (Special Publication 800-30, Revision 1) may be downloaded from: http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf. Please send comments to sec-cert@nist.gov by Nov. 4.

* Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39) is available online at http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.