3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
To go back to the NIST 800-171 Controls page, click here.
Guides
- ISACA – Performing a Security Risk Assessment
- NIST SP 800-30 – Guide to Conducting Risk Assessments
- VITA – Example Risk Assessment
- State of Massachusetts – Information Security Risk Assessment Guidelines
Example Tools
- FFIEC – Cybersecurity Assessment Tool
- Mitre – Risk Management Toolkit
- National Cybersecurity & Communications Integration Center – Cyber Security Evaluation Tool
Sample Policy & Procedures
- Environmental Protection Agency – Information Procedure – Information Security – Risk Assessment Procedures
- SANS Institute – Consensus Policy Resource Community – Risk Assessment Policy