Home
arrow_forward_ios
Frameworks
arrow_forward_ios
NIST SP 800-39 (2011)
Risk Management
DETAIL

NIST SP 800-39 — Managing Information Security Risk: Organization, Mission, and Information System View

SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting.
Framework text may require a separate license unless explicitly provided.

Overview

NIST SP 800-39 is a risk management publication from NIST providing guidance for managing information security risk at the organizational, mission/business process, and information system levels. It establishes a comprehensive risk management framework that integrates security risk management into organizational governance and operations.

Published by NIST, SP 800-39 is used by federal agencies, senior leaders, risk executives, and information security professionals to establish structured approaches to managing risks to organizational operations and assets. It covers organizational risk framing, risk assessment, risk response, and risk monitoring activities.

Organizations implement SP 800-39 by establishing risk management governance structures, defining risk framing approaches, conducting risk assessments at multiple organizational levels, implementing risk responses, and monitoring ongoing risk posture.

Why it Matters

NIST SP 800-39 provides federal agencies with a comprehensive, multi-level approach to information security risk management that integrates security into organizational governance and decision-making.

Key benefits include:

  • Establish enterprise risk management

Create integrated risk management across organizational, mission, and system levels supporting informed governance decisions.

  • Support federal compliance

Meet FISMA and federal requirements for information security risk management across agency programs.

  • Improve risk-informed decisions

Provide leadership with risk information needed to make informed investment and operational decisions.

  • Integrate with RMF

Establish the organizational risk management context for NIST Risk Management Framework implementation.

  • Manage organizational risk posture

Maintain ongoing awareness and management of information security risk across agency operations.

How it Works

SP 800-39 establishes four risk management components: risk framing (establishing risk context), risk assessment (identifying threats and vulnerabilities), risk response (selecting and implementing responses), and risk monitoring (maintaining awareness of risk posture). These operate across organizational, mission/business, and information system tiers.

Key Elements

  • Risk Framing Component

Establishes organizational risk context, tolerance, and constraints guiding risk management activities.

  • Risk Assessment Component

Identifies threats, vulnerabilities, and potential impacts to inform risk response decisions.

  • Risk Response Component

Selects and implements risk responses including acceptance, avoidance, mitigation, and sharing.

  • Risk Monitoring Component

Maintains ongoing awareness of risk posture through continuous monitoring activities.

Framework Scope

NIST SP 800-39 applies to federal agencies managing information security risk across organizational operations, assets, individuals, and missions.

Framework Objectives

NIST SP 800-39 provides comprehensive guidance for managing information security risk across organizational levels.

  • Establish integrated information security risk management across organizational tiers
  • Support federal FISMA compliance through structured risk management processes
  • Provide leadership with risk information for governance and investment decisions
  • Integrate organizational risk management with NIST RMF implementation
  • Maintain ongoing risk monitoring supporting adaptive risk response

Common Framework Mappings

Mapped frameworks include:

NIST Cybersecurity Framework

NIST SP 800-30

NIST SP 800-37

NIST SP 800-53

ISO/IEC 27001

At a Glance
NIST SP 800-39 (2011)
  • checklist
    Classicifation
    Category
    info
    Risk Management
    Domain
    info
    Risk Management
    Framework Family
    info
    NIST Special Publications
  • info
    Regulatory Context
    Type
    info
    Regulation
    Legal Instrument
    info
    Framework
    Sector
    info
    Cross-Sector
    Industry
    info
    Cross-Industry
  • arrow_upload_ready
    Region / Publisher
    Region
    info
    Global
    Region Detail
    info
    United States
    Publisher
    info
    National Institute of Standards and Technology (NIST)
  • published_with_changes
    Versioning
    Version
    info
    Rev. 1
    Effective Date
    info
    March 2011
    Issue Date
    info
    March 2011
  • graph_3
    Adoption
    Adoption Model
    info
    Risk Management
    Implementation Complexity
    info
    High
  • captive_portal
    Official Reference
    Source
    info
    Open Link in New Tab
License Information

License included / downloadable: Yes

NIST SP 800-39 is publicly available from NIST. License included with platform

Official Resources
NIST SP 800-39: Managing Information Security Risk
Defines the management of information security risk in organizational processes.
chevron_forward
NIST Risk Management Framework (RMF)
Outlines the process for risk management in federal information systems.
chevron_forward
NIST SP 800-53: Security and Privacy Controls
Provides controls to protect organizational operations and assets from cybersecurity risks.
chevron_forward
NIST Cybersecurity Framework
Describes common policies to improve cybersecurity risk management.
chevron_forward
NIST Risk Management Overview
Describes integration of risk management into organizational processes.
chevron_forward
SMARTSUITE

How SmartSuite Supports MPA Content Security Program

Manage content protection governance and enforce security practices required to safeguard pre-release media assets and production workflows.

Content Security Control Library

Organize MPA security requirements for production, post-production, storage, and distribution environments with assigned ownership.

Production and Asset Access Governance

Control and document user access to sensitive content, systems, and facilities involved in media production workflows.

Vendor and Production Partner Oversight

Track security requirements, assessments, and contractual obligations for vendors handling pre-release content.

Security Assessments and Compliance Tracking

Manage internal reviews and studio assessments validating adherence to MPA content protection practices.

Incident and Content Leakage Response

Coordinate investigation, escalation, and remediation of security incidents involving protected media assets.

Program Reporting and Studio Assurance

Provide dashboards showing compliance status, open issues, vendor risks, and overall content security readiness.

Related frameworks

COSO ERM 2017

COSO ERM is a framework that helps organizations identify, assess, manage, and monitor enterprise risks to achieve objectives.

Learn More
arrow_forward
ISO 31000:2018

ISO 31000 provides guidelines for identifying, assessing, and managing organizational risks to improve resilience and decision-making.

Learn More
arrow_forward
ISO 27001:2022

ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.

Learn More
arrow_forward
NIST CSF 2.0

NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.

Learn More
arrow_forward
NIST 800-37 Rev.2

NIST RMF provides a structured process to select, implement, assess, authorize, and continuously monitor cybersecurity and privacy controls.

Learn More
arrow_forward
NIST 800-53 Rev.5

NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.

Learn More
arrow_forward
ONBOARDING FAQS

Frequently Asked Questions For NIST SP 800-39 (Managing Information Security Risk)

What is NIST SP 800-39 used for?

NIST SP 800-39 provides a structured approach to managing information security risk across an entire organization. It helps organizations identify, assess, and respond to security risks at the organizational, business process, and information system levels, supporting overall cybersecurity resilience.

Is NIST SP 800-39 mandatory or certifiable?

NIST SP 800-39 is not a certifiable standard, but it is mandatory for U.S. federal agencies as part of their information security programs. Organizations in regulated sectors or working with government agencies often adopt it voluntarily to align with federal risk management best practices and demonstrate due diligence.

Who should use NIST SP 800-39, and what is its scope?

NIST SP 800-39 applies to organizations seeking a comprehensive, enterprise-wide risk management strategy for information security. Its scope includes all organizational levels, from governance and mission/business processes to individual information systems, making it suitable for entities of various sizes and industries.

What are the key concepts in NIST SP 800-39?

Key concepts in NIST SP 800-39 include its three-tiered risk management model (organization, mission/business process, and information system), the risk management lifecycle (framing, assessing, responding, and monitoring risk), and governance processes for integrating risk management throughout the organization.

How do organizations implement NIST SP 800-39?

Organizations implement NIST SP 800-39 by establishing risk management policies, defining risk tolerance, performing risk assessments at each tier, and mapping identified risks to specific controls. Continuous monitoring, documented reporting, and coordinated governance ensure effective risk response and mitigation over time.

How does NIST SP 800-39 relate to other NIST frameworks?

NIST SP 800-39 serves as an overarching risk management framework that aligns with other NIST publications, such as NIST SP 800-53 for security controls and the NIST Risk Management Framework (RMF). It provides the structure for integrating these controls and standards into a unified risk management program.

What are the ongoing compliance requirements for NIST SP 800-39?

Ongoing compliance with NIST SP 800-39 requires regular risk assessments, updates to control implementation, incident response readiness, and continuous monitoring of risks and controls. Governance and documentation are essential to demonstrate compliance and adapt to evolving threats and organizational changes.

How would SmartSuite support NIST SP 800-39?

SmartSuite enables organizations to manage NIST SP 800-39 by centralizing risk assessment data, maintaining control libraries, and tracking risk mitigation actions. It supports collection of compliance evidence, facilitates audit readiness with dashboard reporting, automates monitoring workflows, and streamlines governance for executive oversight.

NEXT STEP

Put CRI Profile into action with SmartSuite

Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.

Explore in SmartSuite
chevron_forward
View all Frameworks
chevron_forward