On February 21, 2024, UnitedHealth Group detected ransomware inside Change Healthcare, the clearinghouse that handles about a third of US medical claims. The attackers had been inside for nine days, having entered through a Citrix remote-access portal that had no multi-factor authentication.
A NIST CSF risk assessment is built to surface exactly that missing control before an attacker does. UnitedHealth later paid a $22 million ransom to an ALPHV affiliate, confirmed data on roughly 100 million people was exposed, and tied more than $1 billion in losses to the attack.
A NIST CSF risk assessment scores your cyber risk against the NIST Cybersecurity Framework, with the assessment work concentrated in the ID.RA category. The output is a ranked list of what could hurt you and what to fix first, written in language an auditor and a board both accept.
| NIST CSF Risk Assessment: Key Takeaways |
| A NIST CSF risk assessment scores cyber threats, vulnerabilities, and business impact against the NIST Cybersecurity Framework, then ranks the results so you treat the worst exposure first. |
| The assessment work concentrates in ID.RA, the Risk Assessment category inside the Identify function, which feeds every other function in the framework. |
| Change Healthcare is the cautionary case: a Citrix portal with no MFA let an ALPHV affiliate in, UnitedHealth paid a $22 million ransom, and losses passed $1 billion. A NIST CSF risk assessment scores exactly that gap. |
| NIST released CSF 2.0 in February 2024 and added a sixth function, Govern, so the assessment now reports into a named governance owner rather than floating in IT. |
| Score each risk on a single 5×5 likelihood-by-impact scale for an inherent score from 1 to 25, apply controls, then re-score the residual to prove the fix worked. |
| Align the steps to NIST SP 800-30 and map controls to NIST 800-53 so the assessment holds up with an auditor, a board, and a cyber-insurer alike. |
What a NIST CSF Risk Assessment Is (and Is Not)
A NIST CSF risk assessment is a structured review of cyber threats, vulnerabilities, and their business impact, scored and prioritized using the NIST Cybersecurity Framework. It answers one question: which cyber risks are most likely to cause the most harm, and in what order should you treat them?
It is not a control checklist. The framework is outcome-based, so the assessment measures whether risks are understood and managed, not whether a fixed list of boxes is ticked. That is the distinction our guide to NIST CSF versus ISO 27001 draws out.
It also has to repeat. The Change Healthcare gap existed long before the breach, which is why a NIST CSF risk assessment runs on a cadence and reopens on change rather than getting filed after an audit.
Where the Risk Assessment Sits in NIST CSF 2.0
NIST released CSF 2.0 in February 2024, its first major revision, and added a sixth function called Govern. The risk assessment itself lives inside the Identify function, in the category labeled ID.RA.
That placement matters in a NIST CSF risk assessment. You cannot protect, detect, respond, or recover against risks you have not first identified and rated, so ID.RA feeds every other function and the broader CSF 2.0 implementation that follows.
Why a NIST CSF Risk Assessment Matters: The Change Healthcare Lesson
Healthcare is the most expensive place to get this wrong. IBM’s 2024 Cost of a Data Breach report put the healthcare average at $9.77 million, well above the $4.88 million cross-industry figure.
Figure 1. The Change Healthcare numbers a NIST CSF risk assessment is built to prevent.
Change Healthcare turned that average into a headline. The root cause was a single control a NIST CSF risk assessment scores directly: missing multi-factor authentication on one remote-access portal, the gap an ALPHV ransomware affiliate walked through.
Figure 2. Breach cost by sector, the stakes behind every NIST CSF risk assessment in healthcare.
The failure ran deeper than one missing control. An unrated, untreated vulnerability sat in scope for months, and no risk score forced anyone to fix it before the attackers did.
The Six Functions Framing Every NIST CSF Risk Assessment
Every NIST CSF risk assessment is framed by six functions. They run from setting strategy to restoring operations, and the assessment touches all of them even though the scoring concentrates in Identify.
| Function | Purpose | Role in the assessment |
| Govern | Set and monitor the risk strategy (new in 2.0) | Owns risk tolerance and who decides |
| Identify | Understand assets, suppliers, and risk | Houses ID.RA, the scoring engine |
| Protect | Safeguards such as access control and MFA | Names the controls that cut residual risk |
| Detect | Find and analyze possible attacks | Surfaces threats the assessment must score |
| Respond | Act on a detected incident | Tests whether response risk is acceptable |
| Recover | Restore assets and operations | Scores continuity and backup gaps |
Figure 3. The six functions of CSF 2.0 that frame every NIST CSF risk assessment.
Govern is the headline change in CSF 2.0. It puts risk strategy, roles, and policy above the other five functions, so a NIST CSF risk assessment now reports into a named governance owner, a shift our CSF 2.0 versus 1.1 comparison walks through.
Inside ID.RA: The Risk Assessment Category of NIST CSF
ID.RA is where a NIST CSF risk assessment does its core work. The category breaks the assessment into discrete, auditable steps, from finding vulnerabilities to prioritizing the response.
| ID.RA subcategory | What a NIST CSF risk assessment must do |
| ID.RA-01 | Identify, validate, and record vulnerabilities in assets |
| ID.RA-02 | Receive cyber threat intelligence from sharing sources |
| ID.RA-03 | Identify and record internal and external threats |
| ID.RA-04 | Determine the likelihood and impact of those threats |
| ID.RA-05 | Combine them into inherent risk and prioritize response |
| ID.RA-06 | Choose, plan, track, and communicate risk responses |
Read ID.RA-01 against the Change Healthcare timeline. The missing MFA was a vulnerability that should have been identified, validated, and recorded, then carried into the impact and risk-determination steps, the kind of signal an IT key risk indicator is meant to raise.
CSF 2.0 extends ID.RA further. Subcategories ID.RA-07 through ID.RA-10 add change management, vulnerability-disclosure handling, and supply-chain checks, so a modern NIST CSF risk assessment reaches your vendors, not just your own systems.
How to Conduct a NIST CSF Risk Assessment Step by Step
Turn ID.RA into a repeatable procedure. These six steps align the NIST CSF risk assessment with NIST SP 800-30, the federal guide for conducting risk assessments, so the method holds up under scrutiny.
| Step | Action | Output |
| 1. Scope | Set the boundary, context, and scoring scale | A documented assessment plan |
| 2. Inventory | List systems, data, and suppliers in scope | An asset register (ID.AM) |
| 3. Identify | Pull threats and validated vulnerabilities | A threat and vulnerability list |
| 4. Rate | Score likelihood and impact on one scale | Inherent risk scores |
| 5. Prioritize | Rank by exposure and business criticality | A ranked risk list |
| 6. Treat | Apply controls, re-score, and record | Residual scores in the register |
Step one decides the rest. Set the scope and the scoring scale before you score anything, the same discipline behind any defensible step-by-step risk assessment.
Scoring Risk in a NIST CSF Risk Assessment
Score each risk on likelihood and impact, usually on a 5×5 scale, then multiply for an inherent score from 1 to 25. Apply controls, re-score the residual, and you have a before-and-after measure of whether the fix actually worked.
| Risk in a NIST CSF risk assessment | Inherent | Residual | Control applied |
| Remote access without MFA | 25 | 10 | Enforce multi-factor authentication |
| Unpatched internet-facing system | 20 | 8 | Patch SLA and vulnerability scanning |
| Phishing to credential theft | 16 | 8 | Awareness training and email filtering |
| No network segmentation | 16 | 6 | Segment and restrict lateral movement |
| No tested backups | 15 | 6 | Immutable, tested, offline backups |
Figure 4. A NIST CSF risk assessment drives each inherent score down to an acceptable residual.
The MFA row is the one to study. Remote access without multi-factor authentication scores a 25, the top of the scale, and drops to a 10 once MFA is enforced, which is why a control beats a caveat. Our guide to inherent risk scoring in Excel shows the math.
Pick one scale and hold it. Mixing a 4×4 and a 5×5 matrix across teams makes scores incomparable, so settle the matrix question first and record every score in a live risk register.
Standards That Anchor a NIST CSF Risk Assessment
A NIST CSF risk assessment is stronger when it cites the documents behind it. Four NIST and ISO references do most of the work, and an assessor will expect to see them mapped.
| Standard | Scope | Role in the assessment |
| NIST CSF 2.0 | Cybersecurity outcomes and functions | The structure and the ID.RA category |
| NIST SP 800-30 | Conducting risk assessments | The step-by-step assessment method |
| NIST SP 800-53 | Security and privacy controls | The controls that cut residual risk |
| ISO 31000 | Risk management principles | The risk language ID.RA aligns to |
ISO 31000 supplies the risk language. Our explainer on what ISO 31000 is frames risk as the effect of uncertainty on objectives, and ID.RA aligns to that methodology rather than competing with it.
NIST 800-53 supplies the controls. Where the framework says a risk must be managed, 800-53 and the CSF informative references name the specific control, closing the gap between the assessment and the fix in a NIST CSF risk assessment.
Frequently Asked Questions About NIST CSF Risk Assessment
What is a NIST CSF risk assessment?
A NIST CSF risk assessment is a structured evaluation of cyber threats, vulnerabilities, and business impact, scored and prioritized using the NIST Cybersecurity Framework. It produces a ranked list of risks and treatments rather than a pass-fail checklist, concentrating the analysis in the ID.RA category of the Identify function.
What is ID.RA in a NIST CSF risk assessment?
ID.RA is the Risk Assessment category inside the Identify function. In a NIST CSF risk assessment it covers identifying vulnerabilities, receiving threat intelligence, recording threats, determining likelihood and impact, and prioritizing responses. CSF 2.0 expands it to ten subcategories that reach change management and supply-chain risk.
How do you conduct a NIST CSF risk assessment step by step?
Scope the assessment and set a scoring scale, inventory assets in scope, identify threats and validated vulnerabilities, rate likelihood and impact, then determine and prioritize risk. Finally, apply controls and re-score the residual. Aligning these steps to NIST SP 800-30 keeps the method defensible.
What changed for a NIST CSF risk assessment in CSF 2.0?
CSF 2.0, released in February 2024, added a sixth function, Govern, which sits above the other five and owns risk strategy and accountability. For a NIST CSF risk assessment, that means scoring now reports into a named governance owner, and ID.RA expanded to cover supply-chain and change-related risk.
How is a NIST CSF risk assessment different from ISO 27001?
A NIST CSF risk assessment measures cybersecurity outcomes and is voluntary and flexible, while ISO 27001 certifies a formal information security management system against fixed requirements. Many organizations run both, using SOC 2 and ISO 27001 for attestation and the CSF for the risk view.
What standards support a NIST CSF risk assessment?
NIST SP 800-30 provides the assessment method, NIST 800-53 provides the controls, and ISO 31000 provides the risk-management principles. Together they let a NIST CSF risk assessment move from a rated risk to a named control to a documented residual, which is what auditors and cyber-insurers look for.
How often should a NIST CSF risk assessment be done?
Run a full NIST CSF risk assessment at least annually, and refresh it on any material change: a new system, a new vendor, a merger, or an incident. The Change Healthcare gap shows why a static assessment fails, since the unrated vulnerability persisted for months before it was exploited.
Where NIST CSF Risk Assessments Fail
Most failed assessments share a short list of mistakes, and none are exotic. Each row pairs the trap with the remedy that the breach record keeps proving out.
| Pitfall | Root cause | Remedy |
| Checklist, not risk | Treating CSF as a control tick-box | Score likelihood and impact, then rank |
| Unrated known gaps | Vulnerabilities logged but never scored | Carry every gap into ID.RA scoring |
| Mixed scoring scales | Teams use different matrices | Standardize one 5×5 scale across scope |
| No residual re-score | Controls applied but never measured | Re-score after treatment and record it |
| Vendors out of scope | Assessment stops at the perimeter | Extend ID.RA to suppliers and access |
| One-and-done | No change-triggered review | Reopen on new systems, vendors, incidents |
The first two rows caused Change Healthcare. A control gap can be known and still go untreated when no score forces the priority, which is the failure mode a cyber security risk management plan exists to close.
The NIST CSF Risk Assessment Horizon: 2026 and Beyond
Governance is the near-term shift. With Govern now a function in its own right, a NIST CSF risk assessment increasingly answers to a board committee, and US public companies fold it into the cyber disclosures the SEC began requiring in 2023.
Artificial intelligence is widening the scope. Models and their data introduce new attack surfaces, so the assessment is starting to borrow from the NIST AI Risk Management Framework alongside the cybersecurity one.
Supply-chain and privacy risk keep rising. CSF 2.0’s expanded ID.RA and data-privacy key risk indicators are becoming standing items, as buyers answer for what happens deep in their vendor networks.
The lasting test is the one Change Healthcare failed. Treat a NIST CSF risk assessment as a living control system, scored and re-scored on change, and the unrated gap shows up on the register long before it shows up in a Senate hearing.
Infographic: The NIST CSF Risk Assessment Lifecycle
Figure 5. A NIST CSF risk assessment as a six-step loop aligned to ID.RA and NIST SP 800-30.
Run a Defensible NIST CSF Risk Assessment
Risk Publishing helps US security and risk teams turn the framework into a defensible NIST CSF risk assessment, from the ID.RA scoring to the risk register behind it. See our services, then contact us when your assessment needs to find the missing control before an attacker does.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.