The National Institute of Standards and Technology released an extensive update to the agency’s Guide for Conducting Risk Assessments that aims to be the risk assessment guidance source for federal information systems.
The updated guide includes more information on risk factors like threat sources and events, vulnerabilities and predisposing conditions, impact and the likelihood of threat occurrence. The guide includes a three-step process to help organizations assess these risks and keep results up to date.
“Risk assessments can help federal agencies effectively evaluate the current threat, organizational and information system vulnerabilities, potential adverse impacts to core missions and business operations—using the results to determine appropriate risk responses,” said NIST Fellow Ron Ross.
The guide, which has not been updated in nine years, will be available for public comment until November 4. Comments can be emailed to sec-cert@nist.gov.