• Ignyte CMMC Specialist


How does the "risk assessment" family in NIST 800-171 differ from the "security assessment" family?

NIST 800-171 requirements are confusing on purpose. This specific requirement is extremely broad. It discusses the organizational "mission" and scanning for vulnerabilities in the same requirement. Organizational mission and vulnerability management are clearly and normally managed by entirely two different types of roles and levels of individuals within a given company. The basic requirement is to conduct an assessment at the entity level and at the IT/technology level. An entity-level risk assessment is a macro view of the risks and paints a broad picture such as "not enough resources assigned could impact the loss of a company contract with the government." While a technical risk assessment is simply stated in section 3.11.2 as scanning for vulnerabilities on your network and other areas.

Risk Assessment

3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.

These risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems.

Risk assessments also consider risk from external parties

  • Service providers

  • Contractors operating systems on behalf of the organization

  • Individuals accessing organizational systems

  • Outsourcing entities

Risk assessments, either formal or informal, can be conducted at

  • Organization level

  • Mission or business process level, or the system level

  • Any phase in the system development life cycle

NIST Special Publication 800-30 provides guidance on conducting risk assessments.

3.11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.

Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities are not overlooked.

The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed.

Vulnerability scanning includes:

  • Scanning for patch levels

  • Scanning for functions, ports, protocols, and services that should not be accessible to users or devices

  • Scanning for improperly configured or incorrectly operating information flow control mechanisms.

Organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities.

Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD).

Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

NIST Special Publication 800-40 provides guidance on vulnerability management

3.11.3 Remediate vulnerabilities in accordance with assessments of risk.

Vulnerabilities discovered via the scanning conducted in response to the above vulnerability risk assessment are remediated with consideration of the related assessment of risk.

For further Information and Demo, please contact us:

  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • Pinterest | 1.833.IGNYTE1 


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Generic disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or of its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved

Igntye © 2020 All Rights Reserved. Ignyte Assurance Platform, Privacy Policy and Terms of Service.