The NIST SP 800-30 provides guidance for conducting risk assessments of information systems and organizations to identify threats, vulnerabilities, impacts, and likelihoods. It outlines a four-step risk assessment process: 1) preparing for assessment, 2) conducting assessment, 3) communicating results, and 4) maintaining assessment. The goal is to help organizations understand weaknesses to make risk-based decisions and mitigate cyber risks to information systems critical to their operations.