The document highlights examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices. These examples include support for an Enterprise Risk Management (ERM) approach in alignment with OMB and FISMA requirements that agency heads “manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a federal information system or federal information.” The use of the Cybersecurity Framework’s components enable discussion about the various types of risk that might occur within federal organizations and promote conversations about how to determine the likelihood and potential consequences of risk events. These activities can then be combined with those described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations; SP 800-39, Managing Information Security Risk; and other guidelines to form a comprehensive risk-based approach for security and privacy.

This risk-based approach will assist agencies in determining the risks that are relevant to its mission throughout the operational lifecycle and apply an appropriate type and degree of resources to treat those risks to an acceptable level. Examples in this publication will demonstrate the use of the Cybersecurity Framework, the NIST Risk Management Framework (RMF), and other models to evaluate and report agency goals and progress and to inform tailoring activities for managing cybersecurity risk appropriately. Use of a comprehensive cybersecurity risk-based approach, as demonstrated through these examples, supports agencies’ activities to meet their concurrent obligations to comply with the requirements of FISMA and Executive Order (EO) 13800.