NIST SP 800‑30 Rev. 1 Guide for Conducting Risk Assessments

Document Background

SP 800‑30 Rev. 1 is one piece of a larger risk management ecosystem. It serves as the companion document to SP 800‑37, which defines the Risk Management Framework (RMF), and SP 800‑39, which provides the overarching structure for managing information security risk at the organizational, mission/business‑process, and information‑system tiers. Where SP 800‑37 tells organizations when to assess risk (during the Categorize and Assess steps of the RMF), SP 800‑30 tells them how to do it (NIST, 2012).

The original SP 800‑30 was published in 2002 and reflected the threat landscape of that era. Revision 1, released a decade later, expanded the document substantially to account for advanced persistent threats, supply‑chain risks, insider threats, and the growing complexity of interconnected federal systems. It also aligned the risk assessment methodology with the three‑tier risk management hierarchy introduced in SP 800‑39 (NIST, 2012, Chapter 2).

The Risk Model

At its core, SP 800‑30 Rev. 1 defines risk as a function of four factors: the threat source that might initiate or trigger a threat event, the vulnerability or predisposing condition that the threat event could exploit, the likelihood that the threat event will occur and succeed, and the impact on the organization if it does (NIST, 2012, Chapter 2).

Expressed informally, the risk model looks like this:

This model is deliberately general. SP 800‑30 does not prescribe a single formula or scoring algorithm. Instead, it provides assessment scales (qualitative, semi‑quantitative, or quantitative) and leaves organizations free to select the approach that best fits their mission context and data availability (NIST, 2012, Appendix D).

The document distinguishes between inherent risk (risk before any controls are applied) and residual risk (risk remaining after controls are in place). A well‑run risk assessment should evaluate both so that decision‑makers can see what their security investments are actually buying.

Threat Sources & Events

SP 800‑30 Rev. 1 organizes threat sources into four broad categories. Understanding these categories is essential because the nature of the threat source shapes the type of threat events it is likely to initiate, the tactics it may employ, and the level of resources it can bring to bear (NIST, 2012, Appendix D).

For adversarial sources, the document further characterizes them by capability (the sophistication and resources available), intent (the motivation behind the attack), and targeting (whether the organization is a specific target or a target of opportunity). These three attributes help analysts differentiate between, say, a script kiddie probing random IP addresses and a nation‑state actor conducting a targeted intrusion campaign (NIST, 2012, Appendix D).

A threat event is any incident or occurrence that could adversely affect organizational operations, assets, or individuals. Threat events can be initiated by adversarial sources (an attacker launching a distributed denial‑of‑service attack) or caused by non‑adversarial sources (a power surge destroying a storage array). The document provides an extensive catalog of representative threat events in its appendices for organizations to use as a starting point during assessments (NIST, 2012, Appendix E).

Likelihood and Impact

Once threat sources, threat events, and vulnerabilities have been identified, the assessor must estimate two things: how likely it is that a given threat event will be initiated or will occur, and how severe the impact will be if it succeeds. SP 800‑30 Rev. 1 provides a five‑point qualitative scale for each (NIST, 2012, Appendix G).

Likelihood Scale

Impact Scale

The document emphasizes that likelihood is really a combination of two sub‑factors: the likelihood of initiation (for adversarial threats) or likelihood of occurrence (for non‑adversarial threats), and the likelihood of success given existing security controls and vulnerabilities. An adversary may be highly motivated to attack (high likelihood of initiation), but if the organization has strong countermeasures, the likelihood of the attack actually succeeding may be much lower (NIST, 2012, Chapter 3).

Impact is assessed across multiple dimensions, including harm to operations (mission degradation, loss of capability), harm to assets (financial loss, data loss), harm to individuals (privacy breach, physical safety), and harm to other organizations or the nation. The worst‑case impact across all relevant dimensions typically drives the overall impact rating (NIST, 2012, Appendix H).

The Four‑Step Process

SP 800‑30 Rev. 1 structures the risk assessment into four sequential steps. Each step has defined inputs, activities, and outputs. The process is designed to be repeatable, scalable, and applicable at all three tiers of the risk management hierarchy (NIST, 2012, Chapter 3).

1. Step 1: Prepare for the Assessment

   Establish the context: define the purpose and scope of the assessment, identify the assumptions and constraints, select the risk model and assessment approach (qualitative, semi‑quantitative, or quantitative), and identify the sources of threat, vulnerability, and impact information that will be used. This step also involves identifying the risk tolerance of decision‑makers and ensuring organizational buy‑in (NIST, 2012, Section 3.1).

2. Step 2: Conduct the Assessment

   This is the analytical core. The assessor identifies threat sources and threat events, identifies vulnerabilities and predisposing conditions, determines the likelihood of threat event initiation or occurrence, determines the likelihood of impact given successful exploitation, and determines the overall risk by combining likelihood and impact. The output is a list of risks with associated risk levels (NIST, 2012, Section 3.2).

3. Step 3: Communicate Results

   Risk assessment results must be communicated clearly to decision‑makers at the appropriate organizational tier. The communication should include the risk determinations themselves, the assumptions made, the assessment methodology used, any uncertainty or limitations in the data, and recommended risk responses. Effective risk communication is a skill in itself; a technically brilliant assessment that no executive can understand has no value (NIST, 2012, Section 3.3).

4. Step 4: Maintain the Assessment

   Risk assessments are living documents. The threat landscape changes, new vulnerabilities emerge, controls are added or removed, and organizational missions evolve. Step 4 requires organizations to monitor risk factors on an ongoing basis, update the assessment when significant changes occur, and feed lessons learned back into the risk management process (NIST, 2012, Section 3.4).

The four‑step process can be applied at different levels of detail depending on the tier. At the organizational tier (Tier 1), the assessment focuses on strategic risk to the mission. At the mission/business‑process tier (Tier 2), it examines risk to specific programs or business lines. At the information‑system tier (Tier 3), it evaluates risk to individual systems. Results from lower tiers feed upward to inform higher‑tier risk decisions, and higher‑tier guidance flows downward to shape how lower‑tier assessments are scoped and prioritized (NIST, 2012, Chapter 2).

Citing This Document (APA 7)

SP 800‑30 Rev. 1 is a group‑author technical report published by a government agency. In APA 7 format, the agency is the author, the special publication number serves as the report identifier, and the parent department is the publisher.

When citing appendix material (the threat source taxonomy, likelihood scales, or impact scales), reference the specific appendix letter rather than a section number. For example: (NIST, 2012, Appendix D).