Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Risk Management Guidance for Information Technology Systems



Joan Hash


Risk Management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Organizations use risk assessment, the first step in the risk management methodology, to determine the extent of the potential threat, vulnerabilities, and the risk associated with an information technology (IT) system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process, the second step of risk management, which involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems throughout their system development life cycle (SDLC). The ultimate goal is to help organizations to better manage IT-related mission risks.
ITL Bulletin -


cost-benefit analysis, residual risk, risk assessment, risk management, risk mitigation, security controls, security threats, system vulnerabilities


Hash, J. (2002), Risk Management Guidance for Information Technology Systems, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 23, 2024)
Created February 26, 2002, Updated February 19, 2017