The Risk Assessment family is the eleventh family in the NIST 800-171 standard. This family addresses the proactive testing of systems and processes.


Why is Risk Assessment important?

Sure, cybersecurity is important to our business. But, what is it that we need to protect? What controls do we put in place to protect it? Where might a threat come from? What is the worse case scenario for our businesses and bottom lines? What happens if our risk factors change? Risk assessments help answer these questions and more. Performing risk assessments allow us to identify the proper controls to put in place to protect our assets from likely threats. Through risk assessments, we can determine how best to strengthen our areas of vulnerability. By scheduling regular recurring risk assessments, we can also be more agile in our ability to adapt as system vulnerabilities and threats change.


What is Risk Assessment about in NIST 800-171?

There are three controls in the Risk Assessment family. The main focus of this family is on your ability to perform regular, recurring risk assessments. Risk assessment in the NIST 800-171 standard includes:

  1. Regularly conducting a risk assessment—Perform regularly scheduled risk assessments for your operations and individuals, protected assets, backup and storage, and communication procedures. Include the likelihood of threat in these areas and the extent of harm that could be caused if an attack or loss of data were to occur.
  2. Documenting risk assessment results—Review the results of your risk assessments. Document and share the results with key personnel across your organization. Results should not be ‘siloed’ by division.
  3. Updating risk assessments for significant changes to your systems and operations—Whenever there is a significant change in your operations or IT system, a new threat is identified, or your security is otherwise impacted, make sure to update your risk assessment. Updates should be timely, documented and shared with key personnel.


Check back for our next blog post and learn more about the Security Assessment family. You may also be interested in reading our last post on Personnel Protection.



Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.