The purpose of NIST Special Publication 800-39 is to provide guidelines for managing risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications and provides, through the implementation of a risk management framework, a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. The risk management concepts described in this publication are intentionally broad-based, with the specific details of assessing risk and employing appropriate risk mitigation strategies provided by supporting NIST security standards and guidelines.
The guidelines provided in this special publication have been broadly developed from a technical perspective to be generally useful across a wide range of organizations employing information systems to implement mission and business processes. The guidelines are directly applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines complement similar guidelines for national security systems and may be used for such systems with the approval of the Director of National Intelligence (DNI), the Secretary of Defense (SECDEF), or the Chairman of the Committee on National Security Systems (CNSS), or their designees. The guidelines are also complementary to the risk management approaches and associated activities defined in the Department of Homeland Security (DHS) National Infrastructure Protection Plan (NIPP) and the supporting Sector Specific Plans (SSPs). State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States, are also encouraged to consider the use of these guidelines, as appropriate.