NIST SP 800-30 is the federal standard for conducting cybersecurity risk assessments and one of the most useful methodologies in the practitioner toolkit. Its strength is also its weakness: the methodology is comprehensive and rigorous enough that teams sometimes invest months in following it precisely and then deliver a risk register nobody acts on. The output of risk assessment is not the document. It is the decisions that come from the document.
The Four Steps the Standard Defines
Prepare for the assessment — define purpose, scope, assumptions, constraints, threat sources to consider. Conduct the assessment — identify threats, vulnerabilities, the likelihood of each combination, and the impact. Communicate results — translate the assessment into actionable information for decision-makers. Maintain the assessment — keep it current as threats, environment, and risk tolerance evolve.
The first three steps are where most teams focus. The fourth — maintenance — is where most assessments fail. A risk assessment that was thorough at the time and is now 18 months old is not a current artefact. It is a historical document that may or may not still describe the organisation accurately.
Threat Sources: Be Specific
Generic threat catalogues ("attackers will attempt to access data") produce generic risk assessments. NIST 800-30 supports specificity: adversarial threats can be characterised by capabilities, intent, targeting, and observed tactics. For most organisations the relevant adversary categories are organised crime (financially motivated, opportunistic), nation-state (targeted, persistent, sophisticated), insiders (privileged access, motivated by grievance or financial pressure), and hacktivists (publicity-driven, varied capability).
Likelihood and Impact Without False Precision
NIST 800-30 supports both qualitative and quantitative analysis. The pragmatic choice for most organisations is semi-quantitative: ordinal scales (very low through very high) defined in concrete terms, applied consistently. Be wary of pure quantitative analysis with apparent two-decimal-place precision — the input data rarely supports it, and the false precision discredits the output when stakeholders push back.
A useful sanity check: if your risk assessment ranks every risk as "moderate," you have a methodology that does not discriminate. Force-rank the top ten risks. If two practitioners cannot agree on the ordering, the criteria are not specific enough. Tighten the rubric.
Translating Findings into Action
The most useful output of NIST 800-30 is not a register — it is a small set of decisions. Which risks are accepted, who owns them, and what would change that decision? Which require treatment, who is funded to deliver it, and on what timeline? Which need monitoring, with what triggers? A risk assessment that does not produce these decisions is documentation. One that does is governance.
How Often to Reassess
- Full reassessment annually for the in-scope environment
- Targeted reassessment when a major change occurs — new acquisition, major architecture shift, new regulation
- Continuous monitoring against indicators that would invalidate the assessment's assumptions
- Lightweight quarterly review of the top risks for any material change
The methodology in NIST 800-30 is durable because it is honest about uncertainty. It does not promise precise answers. It produces structured judgement that improves over time as the organisation builds shared vocabulary, calibrated estimates, and a track record of treatment effectiveness. That compounding is the long-term value of doing risk assessment well.