NIST Wants You … Again … this Time for Risk Assessment

Puzzle Piece with Risk Assessment On ItLast week I noticed NIST put out another draft infosec document that they need comments on. This time the publication that needs updated is SP 800-30, Guide for Conducting Risk Assessment, Revision 1. And updated it is in need of… NIST released the original version almost 10 years ago. Then it was known as the “Risk Management Guide for Information Technology Systems.” This revision narrows the focus of the document to just risk assessment rather than the entire risk management process. As you may know SP 800-39, Managing Information Security Risk, has taken over those duties.

Over the years we’ve had several posts discussing this key document. @rybolov talked about it way back in 2008 where he discussed how NIST should not change it. SP 800-30 also made several appearances at many of the local meetups, including this ISSA DC meeting two years ago. A few months later @rybolov hit on it again in an overview post about NIST’s core publications.

NIST puts these recommendations out and many of us working around DC have to deal with them due to customer requirements. And we spend a lot of time complaining about what they should and shouldn’t be. Instead of complaining, this is our chance … again … to give some feedback.

You can grab a copy of the draft here [PDF]. Comments should be emailed to [email protected] by November 11th.


The National Institute of Standards and Technology unveiled Monday its initial draft of an update to its Guide for Conducting Risk Assessment, Special Publication 800-30, Revision 1.

The update’s focus on risk assessment, one of the four steps in the risk management process, expands from the earlier version of SP 800-30 to include more in-depth information on a variety of factors essential to determining information security risk, such as threat sources and events, vulnerabilities and impact and likelihood of threat occurrence. The draft guidance describes a three-step process that includes key activities to prepare for risk assessments, activities to successfully conduct risk assessments and approaches to maintain the currency of assessment results.

Continued here. also had a recent article on SP 800-30 that you may want to check out if you’re looking for a different perspective.


Today’s post image is from See ya!

4 comments for “NIST Wants You … Again … this Time for Risk Assessment

  1. September 26, 2011 at 5:47 pm

    #NOVABLOGGER: NIST Wants You … Again … this Time for Risk Assessment

  2. September 26, 2011 at 7:14 pm

    NIST Wants You … Again … this Time for Risk Assessment #novablogger #blogged

  3. September 26, 2011 at 9:45 pm

    #NIST Wants You … Again … this Time for #Risk Assessment: [] Last week I noticed #NIST put out…

  4. September 27, 2011 at 1:40 pm

    NIST needs you’re help on the next risk assessment recommendations.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.