NIST 80-300

The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance provided in Special Publication 800-39. This document provides guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other. [Supersedes SP 800-30 (July 2002):]
Citation: Special Publication (NIST SP) - 800-30 Rev 1
Pub Type: NIST Pubs
Paper -
NIST SP 800 30 framework
Risk assessment according NIST SP 800-30 
To determine the likelihood of a future adverse event, threats to an IT system must be in conjunction with the potential vulnerabilities and the controls in place for the IT system.
Impact refers to the magnitude of harm that could be caused by a threat’s exercise of vulnerability. The level of impact is governed by the potential mission impacts and produces a relative value for the IT assets and resources affected (e.g., the criticality sensitivity of the IT system components and data). The risk assessment methodology encompasses nine primary steps:
Step 1 System Characterization
Step 2 Threat Identification
Step 3 Vulnerability Identification
Step 4 Control Analysis
Step 5 Likelihood Determination
Step 6 Impact Analysis
Step 7 Risk Determination
Step 8 Control Recommendations
Step 9 Results Documentation

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.