Which document provides guidance for conducting risk assessments on federal systems?

The document that provides guidance for conducting risk assessments on federal systems is NIST SP 800-30. This publication focuses specifically on risk assessment processes and methodologies, outlining how organizations can identify, evaluate, and prioritize risks to their information systems. It offers a comprehensive approach to understanding risks' potential impact on organizational operations and assets, enabling agencies to implement appropriate risk management strategies.

NIST 800-30 emphasizes the importance of a structured risk assessment methodology that includes identifying threats, vulnerabilities, and potential impacts, which is essential for Federal Information Security Management Act (FISMA) compliance. By utilizing this document, organizations ensure that they are following best practices in assessing and managing the risks inherent in their systems.

The other documents mentioned contribute to the broader framework of information security but serve different purposes. For instance, FIPS 199 focuses on the categorization of information and information systems based on the impact of a security breach, while FIPS 200 establishes minimum security requirements. CNSS Instruction 1253 sets forth security requirements, yet it does not provide direct instruction on the risk assessment process in the manner that NIST SP 800-30 does.