Risk Assessment (NIST SP 800-30)

NIST Special Publication 800-30 (Revision 1, September 2012), Guide for Conducting Risk Assessments, is the U.S. NIST methodology that frames information-security risk as a function of threat source, vulnerability, likelihood, and impact, producing a prioritized risk register. Shipping companies adopt it to assess maritime cyber risk for IMO Resolution MSC.428(98), feeding the cyber risk management plan in the ISM safety management system. It pairs with the NIST Cybersecurity Framework, which states what to manage; SP 800-30 states how to score it.