In this article

NIST Risk Assessment: Process, Tiers and Implementation


February 5, 2023
Last Updated: January 3, 2024
Share on:

What Is NIST Risk Assessment? 

The National Institute of Standards and Technology (NIST) is a physics laboratory and non-regulatory body, which is part of the US Department of Commerce. Its mission is to promote innovation and industrial competitiveness in the United States. 

NIST’s activities consist of laboratory programs including nanoscience and technology, engineering, information technology, neutron research, materials measurement, and physical measurement. In addition, NIST provides standards that can help organizations better organize and secure business activities.

NIST Risk Assessment (Special Publication 800-30) is the identification of risk factors that could negatively affect an organization’s ability to conduct business. These assessments help identify business risks and provide actions, processes and controls to mitigate the impact of these risks on business operations. The purpose of NIST Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations.

This is part of a series of articles about NIST Cybersecurity Framework

NIST CSF Mapping Made Easy with

The Cyber Defense Matrix

  • Align your security strategy with NIST CSF
  • Find & fix holes in your security program
  • Identify gaps and overlaps in your security stack

The NIST Risk Assessment Procedure 

If your organization follows NIST guidelines for cybersecurity, a NIST risk assessment will be an integral part of the organization’s cybersecurity program.

Private sector companies might not need to comply with all the controls of the NIST Cybersecurity Framework (CSF). However, the Federal Information Security Modernization Act (FISMA) requires all companies doing business with the Department of Defense (DoD) at least to comply with the NIST Risk Management Framework (RMF), including risk assessment.

According to NIST’s guidelines for conducting a risk assessment, the risk assessment process should consist of the following steps:

Step Details
Prepare Reviewing key internal activities at the organizational, its mission, business processes, and information systems level, to better manage security and privacy risks.
Categorize Determining the level of sensitivity of the organization’s data and systems, in terms of potential worst-case scenarios, and the potential damage to the organizations or specific business functions.
Select Using the previous steps as a baseline to identify security controls, and applying guidelines as needed based on the risk assessment.
Implement Implementing security controls in environments and systems using verifiable system security engineering practices.
Assess Determining the effectiveness of security controls – proper implementation of systems and environments, operational intent, and security requirements.
Authorize Conducting a review of security control results by an Authorizing Official to determine if the risk level is acceptable.
Monitor Regularly tracking changes to existing controls and security incidents, and reassessing the effectiveness of security controls.

3 Tiers of the NIST Risk Assessment 

The tiered approach is one of the most powerful NIST risk assessment concepts. It is easy to misunderstand your level of risk assessment. For instance, security specialists often conduct risk assessments on Tier 3 but cannot explain the assessment results to the senior management team.

This communicational difficulty is due to the technical complexity of Tier 3 risk assessments – it is not suitable for senior management.

The NIST introduced the tiered approach to help solve this issue: 

  • Tier 1 – the risk assessment looks at risks across all levels of the organization, including risks in business models, the organization’s design, and long-term objectives.
  • Tier 2 – the risk assessment focuses on business processes, such as marketing, sales, and HR. It focuses on the context of a single business process at a high level.
  • Tier 3 – the risk assessment focuses on the technical level, evaluating the organization’s information systems. It identifies the risks in systems, applications, and data flows.

The main challenge with this tiered approach is to align the different tiers – you need to place risks in context. A Tier 3 risk must consider the context of Tier 2, while Tier 2 risks must consider the context of Tier 1.

For example, you might discover a high risk at Tier 3, such as an application likely to crash regularly. However, this application doesn’t pose a risk to the actual business process – it will not disrupt the business process if the application crashes. Thus, a risk that is critical at Tier 3 can be non-critical at other tiers or to the organization as a whole.

Learn more in our detailed guide to nist incident response.

Implementing NIST SP 800-30 in Your Organization 

Step 1: Prepare for an Assessment

Lay the groundwork for the risk assessment by providing the scope and context. This plan keeps everyone on the same page regarding the assessment process.

The preparation phase involves identifying the following: 

  • The assessment’s purpose – the information you want to extract. 
  • Scope – the budget, timeframe, and evaluated aspects. 
  • Constraints and assumptions – how do these affect the assessment?
  • Information sources – the inputs used for the assessment. 
  • Risk model – the analytic approach used in the assessment.

Step 2: Conduct the Assessment

Create a list to prioritize the takeaways from the risk assessment and inform decisions about security risks. This step should adhere to the plan set out in Step 1 and include these activities:

  • Identify security events and sources – define threat sources based on intent, capability, and the type and discern the impact level of each threat. A threat could be adversarial or accidental. SP 800-30 provides standardized tables of threat source inputs and rating scales to help categorize events and sources.
  • Identify existing vulnerabilities – check the infrastructure for vulnerabilities and determine their level of exposure and impact.
  • Determine exploit probabilities – analyze the likelihood of the organization experiencing each security event. Consider your susceptibility based on planned and implemented countermeasures. 
  • Determine impact – estimate the probable impact of each security event. Consider all business-critical factors, such as data loss, financial losses, legal consequences, and damaged business reputation. 
  • Determine risk level – calculate the risk based on each threat’s likelihood and impact. The highest risks are events with a high likelihood of occurring and high impact.

NIST CSF Mapping Made Easy with

The Cyber Defense Matrix

  • Align your security strategy with NIST CSF
  • Find & fix holes in your security program
  • Identify gaps and overlaps in your security stack

Step 3: Notify Stakeholder of the Results

All decision-makers must have access to relevant information about security risks. This step involves communicating the risk assessment results and sharing this information to support risk management efforts. Use standardized taxonomies, categorizations, and rating scales to make decisions easy to understand and help the organization implement improvements.

Step 4: Maintain Ongoing Assessments

The findings from the latest risk assessment should support future decisions and responses related to risk management. Your long-term risk assessment strategy should include continuously monitoring risk factors and updating risk assessments – these activities are important to understand future changes to risk factors.

Cynet’s 24/7 Incident Response Team: Supporting NIST Incident Response Processes

Cynet has an outsourced incident response team that anyone can use, including small, medium and large organizations. The incident response team provides professional security staff who are equipped to carry out fast, effective incident response activities. 

Cynet can deploy the Cynet security platform in just minutes across hundreds to thousands of endpoints. They can scan, identify, analyze and attend to threats before any harm is done. The Cynet incident response team can assist with: 

  • 24/7 incident response—such as identification, containment, eradication and recovery
  • Deep forensic investigations—collecting data to determine the scope of an attack and who is accountable
  • Threat hunting—analyze security data to proactively identify advanced threats
  • Malware analysis—examining malware in a sandbox to see its components and how to remediate it

Contact Cynet for immediate help

For emergency assistance from Cynet’s security experts, call them now at US 1-(347)-474-0048, International +44-203-290-9051, or contact us.

How would you rate this article?

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: