The National Institute of Standards and Technology (NIST) has released the initial public draft of the first revision of the Guide for Conducting Risk Assessments (Special Publication 800-30). This revision shifts the focus of the guidelines from management to assessment, and NIST Special Publication 800-39 now replaces Special Publication 800-30 as the authoritative source of comprehensive risk management guidance. The draft document expands the scope to include more in-depth information on a variety of risk factors that must be considered when determining information security risk. The revision also describes how to apply the risk assessment process in the three tiers of the risk management hierarchy: the organization, the mission/business process and the information system levels. Public comments about the revision will be accepted through November 4, 2011.