Guide for Conducting Risk Assessments

Joint Task Force Transformation Initiative

doi:https://doi.org/10.6028/NIST.SP.800-30r1

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov. [12:20 pm ET - If you received "Page Not Found" errors recently, please retry accessing those files. File synchronization should now be complete.]

NIST SP 800-30 Rev. 1

Guide for Conducting Risk Assessments

Documentation Topics

Date Published: September 2012

Supersedes: SP 800-30 (07/01/2002)

Author(s)

Joint Task Force Transformation Initiative

Abstract

The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.

Keywords

Cost-benefit analysis; residual risk; risk; risk assessment; risk management; risk mitigation; security controls; threat vulnerability

Control Families

Assessment, Authorization and Monitoring; Planning; Program Management; Risk Assessment; System and Services Acquisition

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-30r1
Download URL

Supplemental Material:
SP 800-30 Rev. 1 (EPUB) (epub)
Press Release

Document History:
09/17/12: SP 800-30 Rev. 1 (Final)

Topics

Security and Privacy

audit & accountability, planning, risk assessment

Laws and Regulations

Federal Information Security Modernization Act, Homeland Security Presidential Directive 7