Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

risk management

Abbreviations / Acronyms / Synonyms:

Definitions:

  The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Sources:
FIPS 200 under RISK MANAGEMENT

  The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
Sources:
CNSSI 4009-2015 from NIST SP 800-39
NIST SP 800-12 Rev. 1 under Risk Management from NIST SP 800-39
NIST SP 800-128 under Risk Management from NIST SP 800-39
NIST SP 800-137 under Risk Management from FIPS 200 - Adapted
NIST SP 800-30 Rev. 1 under Risk Management from NIST SP 800-39, CNSSI 4009 - Adapted
NIST SP 800-39 under Risk Management from CNSSI 4009 - Adapted
NIST IR 8323r1 from NIST SP 800-39
NIST IR 8401 from NIST SP 800-39
NIST IR 8441 from NIST SP 800-39
NISTIR 7621 Rev. 1 under Risk Management

  Coordinated activities to direct and control an organization with regard to risk.
Sources:
NIST SP 800-160v1r1 from ISO Guide 73

  The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.
Sources:
NIST SP 800-18 Rev. 1 under Risk Management
NIST SP 800-34 Rev. 1 under Risk Management

  the on-going process of assessing the risk to IT resources andinformation, as part of a risk-based approach used to determine adequate security for a system, by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.
Sources:
NIST SP 800-16 under Risk Management

  The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
Sources:
NIST SP 800-63-3 under Risk Management

  The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.
Sources:
NIST SP 800-128
NIST SP 800-37 Rev. 2 from OMB Circular A-130 (2016)
NIST SP 800-53 Rev. 5 from OMB Circular A-130 (2016)
NIST SP 800-53A Rev. 5 from OMB Circular A-130 (2016)

  The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities, assessing risk, responding to risk once determined, and monitoring risk over time.
Sources:
NIST SP 800-53B from OMB Circular A-130 (2016)

  The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.
Sources:
NIST SP 800-161r1-upd1 [11/1/2024 errata update] from NIST SP 800-53 Rev. 5

  The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Sources:
NIST SP 800-82r3 from FIPS 200 - adapted

  The program and supporting processes to manage information security risk to organizational operations (including mission, functions, images, and reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities, (ii) assessing risk, (iii) responding to risk once determined, and (iv) monitoring risk over time.
Sources:
NIST SP 800-175A

  The total process of identifying, controlling, and eliminating or minimizing uncertain events that may adversely affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.
Sources:
NISTIR 4734 under Risk Management

  An ISCM capability that focuses on reducing the successful exploits of the other non-meta capabilities that occur because the risk management process fails to correctly identify and prioritize actions and investments needed to lower the risk profile.
Sources:
NISTIR 8011 Vol. 1 under Capability, Manage and Assess Risk

  See Capability, Manage and Assess Risk.
Sources:
NISTIR 8011 Vol. 1 under Risk Management

  The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
Sources:
NISTIR 8170 under Risk Management from CNSSI 4009 - adapted

  The process of identifying, assessing, and responding to risk.
Sources:
NIST Cybersecurity Framework Version 1.1 under Risk Management
NIST Privacy Framework Version 1.0 under Risk Management