NIST 800-171 | RISK ASSESSMENT
How does the "risk assessment" family in NIST 800-171 differ from the "security assessment" family?
NIST 800-171 requirements are confusing on purpose. This specific requirement is extremely broad. It discusses the organizational "mission" and scanning for vulnerabilities in the same requirement. Organizational mission and vulnerability management are clearly and normally managed by entirely two different types of roles and levels of individuals within a given company. The basic requirement is to conduct an assessment at the entity level and at the IT/technology level. An entity-level risk assessment is a macro view of the risks and paints a broad picture such as "not enough resources assigned could impact the loss of a company contract with the government." While a technical risk assessment is simply stated in section 3.11.2 as scanning for vulnerabilities on your network and other areas.
3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
These risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems.
Risk assessments also consider risk from external parties
Contractors operating systems on behalf of the organization
Individuals accessing organizational systems
Risk assessments, either formal or informal, can be conducted at
Mission or business process level, or the system level
Any phase in the system development life cycle
NIST Special Publication 800-30 provides guidance on conducting risk assessments.
3.11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities are not overlooked.
The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed.
Vulnerability scanning includes:
Scanning for patch levels
Scanning for functions, ports, protocols, and services that should not be accessible to users or devices
Scanning for improperly configured or incorrectly operating information flow control mechanisms.
Organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities.
Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD).
Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).
NIST Special Publication 800-40 provides guidance on vulnerability management
3.11.3 Remediate vulnerabilities in accordance with assessments of risk.
Vulnerabilities discovered via the scanning conducted in response to the above vulnerability risk assessment are remediated with consideration of the related assessment of risk.