Skip Ribbon Commands
Skip to main content
Home > Services > Frameworks > NIST


NIST 800-30


The National Institute for Standards and Technology (NIST) has long provided standards for Information Security within the U.S. Federal Government. These include an entire suite of Risk Management standards, similar in many ways to the ISO 27000 standards which are popular outside of the U.S. The standard among Risk Assessment is NIST 800-30.

  • NIST 800-30 is the standard risk assessment approach of the U.S. Federal Government
  • NIST provides an entire framework for Risk Management, of which 800-30 is one component


An 800-30 aligned Risk Assessment typically makes sense for U.S. Governmental agencies or organizations which perform a great deal of work for government clients. An 800-30 Risk Assessment can meet requirements set forth by Federal agencies, as well as provide direction on where to direct security efforts.


SecureState has an entire practice dedicated to the Federal space and years of experience working with multiple risk frameworks; including the NIST framework. Our staff of experienced personnel has performed hundreds of these types of assessments and is capable of aligning to FAIR, ISO 27005, and OCTAVE; in addition to NIST 800-30.

Did You Know?

  • NIST 800-30 is a key component of FISMA alignment and compliance
  • 800-30 is part of the larger 800-39 framework for managing risk
  • NIST’s Risk Management approach is at a high level quite similar to an ISO 27001 aligned security program

Our Approach and Methodology

NIST’s 800-30 methodology takes a broader approach than many other security risk assessments. Rather than simply looking at technology, 800-30 takes a 3-tiered approach while additionally examining business processes as well as organizational structure and governance. This larger view helps to provide much more context around identified risks, as well as increasing the length of the assessment process.

Much like SecureState’s iRisk approach, 800-30 examines potential threats with associated likelihood and impact, as well as identifying vulnerabilities which those threats may act on. NIST provides a very robust framework of potential controls to be implemented to mitigate these risks. Additionally, a lengthy list of potential threats is provided, simplifying the work needed in identifying threats and establishing more consistency.

Finally, 3 different scans are provided for assessing each component: qualitative, quantitative, and semi-quantitative. The assessor is permitted to choose from these 3 measurements, while selecting the one which best matches the scope and goals of the assessment.

What Makes Us Different

  • A NIST Risk Assessment examines business processes and organizational structure
  • Threats are well defined
  • The NIST approach generally looks at risk on a nationwide level

Related Services