Guide for Conducting Risk Assessments

Joint Task Force Transformation Initiative

doi:https://doi.org/10.6028/NIST.SP.800-30r1

SP 800-30 Rev. 1

Guide for Conducting Risk Assessments

Documentation Topics

Date Published: September 2012

Supersedes: SP 800-30 (07/01/2002)

Author(s)

Joint Task Force Transformation Initiative

Abstract

The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.

Keywords

Cost-benefit analysis; residual risk; risk; risk assessment; risk management; risk mitigation; security controls; threat vulnerability

Control Families

Assessment, Authorization and Monitoring; Planning; Program Management; Risk Assessment; System and Services Acquisition

Documentation

Publication:
SP 800-30 Rev. 1 (DOI)
Local Download

Supplemental Material:
SP 800-30 Rev. 1 (EPUB) (txt)
Press Release (other)

Document History:
09/17/12: SP 800-30 Rev. 1 (Final)

Topics

Security and Privacy
audit & accountability; planning; risk assessment

Laws and Regulations
Federal Information Security Modernization Act; Homeland Security Presidential Directive 7