U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management: NISTIR 8286A
November 12, 2021

NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, provides an in-depth discussion of the concepts introduced in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).

NISTIR 8286A is intended to help organizations better implement cybersecurity risk management (CSRM) as an integral part of ERM – both taking its direction from ERM and informing it. The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their ERM programs and that the CSRM program is anchored within the context of ERM.

This final version of the report clarifies several areas of CSRM in light of enterprise objectives and also incorporates editorial and subject matter improvements that were provided as feedback during the second public comment period. In addition, graphics and process descriptions were adjusted to ensure that they support subsequent activities as described in NISTIRs 8286B and 8286C.

A companion document, NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, will be available for review and comment in the coming weeks.

Related publications:

Related Topics

Security and Privacy: risk management, security measurement

Applications: enterprise

Created November 12, 2021