When do I need to perform a Risk Assessment? SAM 5305.7 requires each state entity to conduct a risk assessment every two years or less based on need. It is a best practice to perform a risk assessment when evaluating or developing an information system. Back to Information Security FAQs