The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-137 under Risk Assessment from CNSSI 4009
NIST SP 1800-21B under Risk Assessment from NIST SP 800-53 Rev. 4

  The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Source(s):
CNSSI 4009-2015 under security control assessment from NIST SP 800-37 Rev. 1
NIST SP 800-137 under Security Control Assessment from CNSSI 4009 - Adapted
NIST SP 800-37 Rev. 1 under Security Control Assessment

  The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
Source(s):
NIST SP 800-171 Rev. 2 under security control assessment from OMB Circular A-130
NIST SP 800-37 Rev. 2 under security control assessment
NIST SP 800-172 under security control assessment from OMB Circular A-130 (2016)
NIST SP 800-53 Rev. 4 under Security Control Assessment from CNSSI 4009 - Adapted
NIST SP 800-53A Rev. 4 under Security Control Assessment

  Overall process of risk identification, risk analysis, and risk evaluation.
Source(s):
NIST SP 800-160 Vol. 2 under risk assessment from ISO Guide 73
NIST SP 800-160 Vol. 1 under risk assessment from ISO Guide 73

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses.
Source(s):
NIST SP 800-18 Rev. 1 under Risk Assessment from NIST SP 800-30

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.
Source(s):
NIST SP 800-171 Rev. 2 under risk assessment from NIST SP 800-30
NIST SP 800-37 Rev. 2 under risk assessment
NIST SP 800-53 Rev. 5 under risk assessment from NIST SP 800-39
NIST SP 800-172 under risk assessment from NIST SP 800-30 Rev. 1
NIST SP 800-171 Rev. 1 [Superseded] under risk assessment

  The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Source(s):
NIST SP 800-12 Rev. 1 under Security Control Assessment from NIST SP 800-37

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-12 Rev. 1 under Risk Assessment from NIST SP 800-39

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
CNSSI 4009-2015 under risk assessment from NIST SP 800-39
NIST SP 800-30 Rev. 1 under Risk Assessment from NIST SP 800-39

  See Security Control Assessment.
Source(s):
NIST SP 800-137 under Assessment
NIST SP 800-37 Rev. 1 under Assessment
NIST SP 800-39 under Assessment
NIST SP 800-53 Rev. 4 under Assessment
NIST SP 800-171 Rev. 2
NIST SP 800-172
NIST SP 800-171 Rev. 1 [Superseded]

  See risk analysis
Source(s):
NIST SP 800-33 [Withdrawn] under risk assessment

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.  Synonymous with risk analysis.
Source(s):
NIST SP 800-39 under Risk Assessment

  See Security Control Assessment or Privacy Control Assessment.
Source(s):
NIST SP 800-53A Rev. 4 under Assessment

  The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis.
Source(s):
NIST SP 1800-25B under Risk Assessment from NIST SP 800-63-2
NIST SP 1800-26B under Risk Assessment from NIST SP 800-63-2
NIST SP 800-63-2 [Superseded] under Risk Assessment

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations, resulting from the operation of a system. It is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-63-3 under Risk Assessment

  Assessment in this context means a formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of [FIPS 201-2].
Source(s):
NIST SP 800-79-2 under Assessment (as applied to an issuer)

  An evaluation of the amount of entropy provided by a (digitized) noise source and/or the entropy source that employs it.
Source(s):
NIST SP 800-90B under Assessment (of entropy)

  See control assessment or risk assessment.
Source(s):
NIST SP 800-37 Rev. 2
NIST SP 800-53 Rev. 5

  The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.
Source(s):
NIST SP 800-37 Rev. 2 under control assessment
NIST SP 800-53 Rev. 5 under control assessment from NIST SP 800-37 Rev. 2

  See security control assessment or risk assessment.
Source(s):
CNSSI 4009-2015 from NIST SP 800-30 Rev. 1
NIST SP 800-30 Rev. 1 under Assessment

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls or privacy controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-53A Rev. 4 under Risk Assessment

  The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
Source(s):
NIST SP 800-30 Rev. 1 under Security Control Assessment from NIST SP 800-39, CNSSI 4009 - Adapted
NIST SP 800-39 under Security Control Assessment from CNSSI 4009 - Adapted

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-37 Rev. 1 under Risk Assessment
NIST SP 800-53 Rev. 4 under Risk Assessment

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.
Source(s):
NIST SP 800-82 Rev. 2 under Risk Assessment from NIST SP 800-30
NISTIR 8183A Vol. 1 under Risk Assessment from NIST SP 800-82
NISTIR 8183A Vol. 2 under Risk Assessment from NIST SP 800-82
NISTIR 8183A Vol. 3 under Risk Assessment from NIST SP 800-82
NISTIR 8183 under Risk Assessment
NISTIR 8183 Rev. 1 under Risk Assessment from NIST SP 800-82 Rev. 2

  The testing or evaluation of privacy controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements for an information system or organization.
Source(s):
NIST SP 800-53A Rev. 4 under Privacy Control Assessment

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-53 Rev. 4 under Risk Assessment

  A completed or planned action of evaluation of an organization, a mission or business process, or one or more systems and their environments; or
Source(s):
NIST SP 800-137A

  The vehicle or template or worksheet that is used for each evaluation.
Source(s):
NIST SP 800-137A

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.
Source(s):
NIST SP 800-160 Vol. 2 under risk assessment from NIST SP 800-39 - Adapted

  Risk management includes threat and vulnerability analyses as well as analyses of adverse effects on individuals arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-53 Rev. 5 under risk assessment from NISTIR 8062 - Adapted

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses and analyses of privacy problems arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.
Source(s):
NIST SP 800-53B under risk assessment from NIST SP 800-39

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.
Source(s):
NIST SP 1800-21C under Risk Assessment

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.
Source(s):
NIST SP 1800-11B under risk assessment from NIST SP 800-30 Rev. 1

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.
Source(s):
NISTIR 8183 under Risk Assessment from NIST SP 800-82 Rev. 2

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source(s):
NISTIR 8323 under Risk Assessment from NIST SP 800-30 Rev. 1

  A value that defines an analyzer's estimated level of security risk for using an app. Risk assessments are typically based on the likelihood that a detected vulnerability will be exploited and the impact that the detected vulnerability may have on the app or its related device or network. Risk assessments are typically represented as categories (e.g., low-, moderate-, and high-risk).
Source(s):
NIST SP 800-163 [Superseded] under Risk Assessment

  See risk analysis.
Source(s):
NIST SP 800-27 Rev. A [Withdrawn] under risk assessment

  The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.
Source(s):
NIST SP 800-171 Rev. 1 [Superseded] under security control assessment from CNSSI 4009 - Adapted