SP-800-39 superseded which previous NIST Special Publication?

Understanding how NIST risk guidance has evolved is key. SP 800-39 introduces a holistic approach to information security risk management that covers the organization, mission, and information system levels. It weaves together governance, risk assessment, risk response, and continuous monitoring into an integrated framework. Because of that broader scope, SP 800-39 replaced the older risk assessment guidance in SP 800-30. In other words, SP 800-39 provides the enterprise-wide risk management context in which risk assessments (the focus of SP 800-30) are conducted, rather than just detailing a standalone risk assessment method. The other publications listed—SP 800-53 (controls), SP 800-37 (RMF process), and SP 800-61 (incident handling)—remain relevant but are not superseded by SP 800-39.