NIST Revising Risk Assessment Guidance

Public Comment on Revision to SP 800-30 Due by Nov. 4
NIST Revising Risk Assessment Guidance
The National Institute of Standards and Technology unveiled Monday its initial draft of an update to its Guide for Conducting Risk Assessment, Special Publication 800-30, Revision 1.

The update's focus on risk assessment, one of the four steps in the risk management process, expands from the earlier version of SP 800-30 to include more in-depth information on a variety of factors essential to determining information security risk, such as threat sources and events, vulnerabilities and impact and likelihood of threat occurrence. The draft guidance describes a three-step process that includes key activities to prepare for risk assessments, activities to successfully conduct risk assessments and approaches to maintain the currency of assessment results.

"It's important, in that climate today, where we have very sophisticated cyberattacks taking place, to have the ability to do a fairly comprehensive analysis on the threat space ... [that can] cause severe or potentially catastrophic impacts to our missions," says NIST Senior Computer Scientist Ron Ross, who leads the interagency Joint Task Force that created the guidance. "That's really the primary purpose of those documents, to give people the tools to be able to do good risk assessment so they can figure out exactly what are the most appropriate countermeasures to apply to their systems and the environments of those systems where they operate."

The Joint Task Force - a joint partnership among NIST, Department of Defense, intelligence community and the Committee on National Security Systems - has been developing a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the nation's critical information infrastructure.

According to NIST, the draft publication issued Monday changes the focus of SP 800-30, originally published as a risk management guideline. NIST SP 800-39, Managing Information Security Risk, has replaced SP 800-30 as the authoritative source of comprehensive risk management guidance. In addition to providing a comprehensive process for assessing information security risk, the revised publication also describes how to apply the process at the three tiers in the risk management hierarchy: organization, mission/business process and information system levels. To facilitate ease of use for those conducting risk assessments, a set of exemplary templates, tables and assessment scales for common risk factors is also provided.

NIST seeks suggestions from the public to improve the revision to SP 800-30, Revision 1. Comments can be sent to by Nov. 4.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.