Reports on Computer Systems Technology :
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-ofconcept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. The Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.
Acknowledgments :
The authors, Gary Stoneburner, from NIST and Alice Goguen and Alexis Feringa from Booz
Allen Hamilton wish to express their thanks to their colleagues at both organizations who
reviewed drafts of this document. In particular, Timothy Grance, Marianne Swanson, and Joan
Hash from NIST and Debra L. Banning, Jeffrey Confer, Randall K. Ewell, and Waseem
Mamlouk from Booz Allen provided valuable insights that contributed substantially to the
technical content of this document. Moreover, we gratefully acknowledge and appreciate the
many comments from the public and private sectors whose thoughtful and constructive
comments improved the quality and utility of this publication.
INTRODUCTION :
Every organization has a mission. In this digital era, as organizations use automated information
technology (IT) systems to process their information for better support of their missions, risk
management plays a critical role in protecting an organization’s information assets, and therefore
its mission, from IT-related risk.
An effective risk management process is an important component of a successful IT security
program. The principal goal of an organization’s risk management process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk
management process should not be treated primarily as a technical function carried out by the IT
experts who operate and manage the IT system, but as an essential management function of the
organization.
AUTHORITY :
This document has been developed by NIST in furtherance of its statutory responsibilities under
the Computer Security Act of 1987 and the Information Technology Management Reform Act of
1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline within
the meaning of 15 U.S.C 278 g-3 (a)(3).
These guidelines are for use by Federal organizations which process sensitive information.
They are consistent with the requirements of OMB Circular A-130, Appendix III.
The guidelines herein are not mandatory and binding standards. This document may be used by
non-governmental organizations on a voluntary basis. It is not subject to copyright.
Nothing in this document should be taken to contradict standards and guidelines made
mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory
SEO Manik 