NIST Revising Risk Assessment Guidance
Public Comment on Revision to SP 800-30 Due by Nov. 4The update's focus on risk assessment, one of the four steps in the risk management process, expands from the earlier version of SP 800-30 to include more in-depth information on a variety of factors essential to determining information security risk, such as threat sources and events, vulnerabilities and impact and likelihood of threat occurrence. The draft guidance describes a three-step process that includes key activities to prepare for risk assessments, activities to successfully conduct risk assessments and approaches to maintain the currency of assessment results.
"It's important, in that climate today, where we have very sophisticated cyberattacks taking place, to have the ability to do a fairly comprehensive analysis on the threat space ... [that can] cause severe or potentially catastrophic impacts to our missions," says NIST Senior Computer Scientist Ron Ross, who leads the interagency Joint Task Force that created the guidance. "That's really the primary purpose of those documents, to give people the tools to be able to do good risk assessment so they can figure out exactly what are the most appropriate countermeasures to apply to their systems and the environments of those systems where they operate."
The Joint Task Force - a joint partnership among NIST, Department of Defense, intelligence community and the Committee on National Security Systems - has been developing a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the nation's critical information infrastructure.
According to NIST, the draft publication issued Monday changes the focus of SP 800-30, originally published as a risk management guideline. NIST SP 800-39, Managing Information Security Risk, has replaced SP 800-30 as the authoritative source of comprehensive risk management guidance. In addition to providing a comprehensive process for assessing information security risk, the revised publication also describes how to apply the process at the three tiers in the risk management hierarchy: organization, mission/business process and information system levels. To facilitate ease of use for those conducting risk assessments, a set of exemplary templates, tables and assessment scales for common risk factors is also provided.
NIST seeks suggestions from the public to improve the revision to SP 800-30, Revision 1. Comments can be sent to sec-cert@nist.gov by Nov. 4.