Integrating Cybersecurity and Enterprise Risk Management | NIST IR 8286 Series Revisions and Updates
February 26, 2025

NIST has released revisions or updates to all five publications in its Interagency Report (IR) 8286 series. These publications help practitioners better understand the close relationship between cybersecurity and enterprise risk management (ERM). All five publications in the series have been updated to align more closely with the Cybersecurity Framework (CSF) 2.0 and other updated NIST guidance. The updated series puts greater emphasis on cybersecurity governance to highlight the importance of ensuring cybersecurity capabilities support the broader mission through ERM.

Three of the publications are available for public comment through April 14, 2025:

• NIST IR 8286r1 ipd (Revision 1 initial public draft), Integrating Cybersecurity and Enterprise Risk Management (ERM)
• NIST IR 8286Ar1 ipd, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
• NIST IR 8286Cr1 ipd, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight

The other publications in the series have had only minor errata updates and are being released as final:

• NIST IR 8286B-upd1 (Update 1), Prioritizing Cybersecurity Risk for Enterprise Risk Management
• NIST IR 8286D-upd1, Using Business Impact Analysis to Inform Risk Prioritization and Response 

For more information on the release of these publications and their close relationship to CSF 2.0, see the Celebrating 1 Year of CSF 2.0 blog post.