Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

assessment

Abbreviations / Acronyms / Synonyms:

control assessment
Privacy Control Assessment
Risk Assessment
Security Control Assessment

Definitions:

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Sources:
NIST SP 1800-21B under Risk Assessment
NIST SP 800-137 under Risk Assessment from CNSSI 4009

  The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Sources:
CNSSI 4009-2015 under security control assessment
NIST SP 800-137 under Security Control Assessment from CNSSI 4009 - Adapted

  The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
Sources:
NIST SP 800-172 under security control assessment from OMB Circular A-130 (2016)
NIST SP 800-172A under security control assessment from OMB Circular A-130 (2016)
NIST SP 800-37 Rev. 2 under security control assessment from OMB Circular A-130 (2016)
NIST SP 800-171 Rev. 2 under security control assessment from OMB Circular A-130 (2016)

  Overall process of risk identification, risk analysis, and risk evaluation.
Sources:
NIST SP 800-160 Vol. 2 Rev. 1 under risk assessment from ISO Guide 73
NIST SP 800-160v1r1 under risk assessment from ISO Guide 73

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses.
Sources:
NIST SP 800-18 Rev. 1 under Risk Assessment

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.
Sources:
NIST SP 800-172 under risk assessment from NIST SP 800-30 Rev. 1
NIST SP 800-172A under risk assessment from NIST SP 800-30 Rev. 1
NIST SP 800-37 Rev. 2 under risk assessment from NIST SP 800-30 Rev. 1
NIST SP 800-53 Rev. 5 under risk assessment from NIST SP 800-39
NIST SP 800-53A Rev. 5 under risk assessment from NIST SP 800-39
NIST SP 800-171 Rev. 2 under risk assessment

  The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Sources:
NIST SP 800-12 Rev. 1 under Security Control Assessment

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Sources:
NIST SP 800-12 Rev. 1 under Risk Assessment from NIST SP 800-39

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Sources:
CNSSI 4009-2015 under risk assessment from NIST SP 800-39
NIST SP 800-30 Rev. 1 under Risk Assessment from NIST SP 800-39
NIST IR 8323r1 under risk assessment from NIST SP 800-30 Rev. 1
NIST IR 8441 under risk assessment from NIST SP 800-30 Rev. 1

  See Security Control Assessment.
Sources:
NIST SP 800-137 under Assessment
NIST SP 800-172
NIST SP 800-39 under Assessment
NIST SP 800-171 Rev. 2

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.  Synonymous with risk analysis.
Sources:
NIST SP 800-39 under Risk Assessment

  The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis.
Sources:
NIST SP 1800-10B under Risk Assessment
NIST SP 1800-25B under Risk Assessment
NIST SP 1800-26B under Risk Assessment

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations, resulting from the operation of a system. It is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Sources:
NIST SP 800-63-3 under Risk Assessment

  Assessment in this context means a formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of [FIPS 201-2].
Sources:
NIST SP 800-79-2 under Assessment (as applied to an issuer)

  An evaluation of the amount of entropy provided by a (digitized) noise source and/or the entropy source that employs it.
Sources:
NIST SP 800-90B under Assessment (of entropy)

  See control assessment or risk assessment.
Sources:
NIST SP 800-37 Rev. 2
NIST SP 800-53 Rev. 5
NIST SP 800-53A Rev. 5

  The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.
Sources:
NIST SP 800-37 Rev. 2 under control assessment
NIST SP 800-53 Rev. 5 under control assessment from NIST SP 800-37 Rev. 2
NIST SP 800-53A Rev. 5 under control assessment from NIST SP 800-37 Rev. 2

  See security control assessment or risk assessment.
Sources:
CNSSI 4009-2015 from NIST SP 800-30 Rev. 1
NIST SP 800-30 Rev. 1 under Assessment

  The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
Sources:
NIST SP 800-30 Rev. 1 under Security Control Assessment from NIST SP 800-39, CNSSI 4009 - Adapted
NIST SP 800-39 under Security Control Assessment from CNSSI 4009 - Adapted

  A completed or planned action of evaluation of an organization, a mission or business process, or one or more systems and their environments; or
Sources:
NIST SP 800-137A

  The vehicle or template or worksheet that is used for each evaluation.
Sources:
NIST SP 800-137A

  Risk management includes threat and vulnerability analyses as well as analyses of adverse effects on individuals arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.
Sources:
NIST SP 800-53 Rev. 5 under risk assessment from NISTIR 8062 - Adapted
NIST SP 800-53A Rev. 5 under risk assessment from NISTIR 8062 - Adapted

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses and analyses of privacy problems arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.
Sources:
NIST SP 800-53B under risk assessment from NIST SP 800-39
NIST IR 8401 under risk assessment from NIST SP 800-30 Rev. 1

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.
Sources:
NIST SP 1800-21C under Risk Assessment

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.
Sources:
NIST SP 1800-11B under risk assessment from NIST SP 800-30 Rev. 1
NIST SP 1800-30B under risk assessment from NIST SP 800-30 Rev. 1
NIST SP 1800-34B under risk assessment from NIST SP 800-30 Rev. 1

  The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. A part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.
Sources:
NIST SP 800-160 Vol. 2 Rev. 1 under risk assessment from NIST SP 800-39 - adapted

  The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Sources:
NIST SP 800-188 under risk assessment from NIST SP 800-39

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.
Sources:
NIST SP 800-82r3 under risk assessment from NIST SP 800-39 - adapted

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.
Sources:
NISTIR 8183 under Risk Assessment from NIST SP 800-82r3

  The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.
Sources:
NISTIR 8183 under Risk Assessment
NISTIR 8183 Rev. 1 under Risk Assessment from NIST SP 800-82r3
NISTIR 8183A Vol. 1 under Risk Assessment
NISTIR 8183A Vol. 2 under Risk Assessment
NISTIR 8183A Vol. 3 under Risk Assessment