The Common Risk Model for Dams (CRM-D), developed as a result of collaboration between the U.S. Army Corps of Engineers and the U.S. Department of Homeland Security, is a consistent, mathematically rigorous, and easy to implement methodology for security risk assessment of dams, navigation locks, hydropower projects, and similar infrastructures. The methodology provides a systematic approach for evaluating and comparing security risks across a large portfolio. Risk is calculated for an attack scenario (a specific adversary using a specific attack vector against a specific target) by combining consequence, vulnerability, and threat estimates in a way that properly accounts for the relationships among these variables. The CRM-D can effectively quantify the benefits of implementing a particular risk mitigation strategy and, consequently, enable return-on-investment analyses for multiple mitigation alternatives across a large portfolio. Recently, refinements have been made to the methodology to characterize the complexities of the adversary threat and the ability to interdict their actions. When first developed, CRM-D focused on a highly-capable international terrorist. Recently, it has been extended to include additional adversary types distinguished by a wide-range of capabilities. In addition, the methodology has been extended beyond target defenses to consider the role of local and national defenses in mitigating risk to manmade threats. A methodology for characterizing these defenses was developed as well as expert estimates for the probability an adversary could penetrate them. This comprehensive methodology provides a rigorous way to consider risks to dams across a large portfolio and is extensible to other types of critical infrastructures. This paper discusses various features of the CRM-D methodology as well as findings and lessons learned resulting from its implementation.