My organization received a recommendation from a third-party audit that we conduct a DDoS specific risk assessment. Are there any publicly available tools or templates for this specific purpose? Any help is appreciated!
You can check NIST SP 800-30 which describes how to conduct a risk assessment. Conducting a control assessment (utilizing NIST SP 800-53A) is a good start to see how well the controls are actually working. You can then conduct a risk assessment to see if the working controls mitigated the risk to your organization's risk tolerance level.
Always keep in mind the basics of what risk is: It's the likelihood of a threat exploiting a vulnerability and the resulting impact.
Look at the various threats then determine the vulnerabilities of your information system. The impact caused by those threats (e.g., high, moderate, or low impact) is a subjective matter, dependent on your organization's opinion on the compromise of its data.