NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, provides an in-depth discussion of the concepts introduced in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).

NISTIR 8286A is intended to help organizations better implement cybersecurity risk management (CSRM) as an integral part of ERM – both taking its direction from ERM and informing it. The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their ERM programs and that the CSRM program is anchored within the context of ERM.

This final version of the report clarifies several areas of CSRM in light of enterprise objectives and also incorporates editorial and subject matter improvements that were provided as feedback during the second public comment period. In addition, graphics and process descriptions were adjusted to ensure that they support subsequent activities as described in NISTIRs 8286B and 8286C.

A companion document, NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, will be available for review and comment in the coming weeks.

Related publications:

• NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM)
• NISTIR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management
• NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework