This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA). NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines do not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems.
This publication was developed in an ongoing effort to produce a unified information security framework for the federal government.
This revision changes the focus of SP 800-30, originally published as a risk management guideline, to focus exclusively on conducting risk assessments. The risk assessment guidance in SP 800-30 has been significantly expanded to include more in-depth information on a wide variety of risk factors essential to determining information security risk (e.g., threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence). A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results.
In addition to providing a comprehensive process for assessing information security risk, this publication also describes how to apply the process at the three tiers in the risk management hierarchy — the organization level, the mission/business process level, and the information system level. To facilitate ease of use for individuals or groups conducting risk assessments within organizations, this publication also provides a set of exemplary templates, tables, and assessment scales for common risk factors. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.
- NIST Special Publication 800-165, at 13-14.