Recent NIST Publications

Tagged: , , , , , , ,

Viewing 3 reply threads
  • Author
    Posts
    • May 3, 2021 at 4:36 pm #12551
      MHQ
      Keymaster

      NIST has recently published some key guidance documents related to integration of cybersecurity risk management with enterprise-wide risk management at the agency level. The COI played a key role in advancing dialogue and best practices in this area in 2020.

      The NISTIR 8286 – Integrating Cybersecurity and Enterprise Risk Management (ERM), October 2020, was written for both ERM and IT practitioners to consider when establishing governance and reporting processes for cybersecurity (and information security risks) to inform agency level risk decisions. NIST expanded this publication through publication of a subseries with additional “how to” guidance on using the cybersecurity risk register as a method to identify and assess risks in this functional domain, then translate those risks to inform broader, agency level ERM programs.

      NIST previously published the NISTIR 8170 – Approaches for Federal Agencies to Use the Cybersecurity Framework, March 2020, which provides eight example approaches for federal agencies to integrate the NIST CSF into existing risk management work done for FISMA compliance. Among those approaches is Item #1: Integrate enterprise and cybersecurity risk management.

      Please see attachments for more.

      Attachments:

      1. NIST.IR_.8170.pdf

      2. NIST.IR_.8286.pdf

      3. NIST.IR_.8286A-published.pdf

      4. NIST.IR_.8286C-published.pdf

    • September 22, 2022 at 4:13 pm #15118
      Nahla K. Ivy
      Participant

      Updates have been made to the original post to include the following recent publications:

      NIST IR 8286A
      NIST IR 8286B
      NIST IR 8286C
      NIST IR 8286D (draft)

    • January 19, 2024 at 4:52 pm #18120
      Nahla K. Ivy
      Participant

      Posting the Final IR 8286 Part D – Using Business Impact Analysis to Inform Risk Prioritization and Response (published November 2022).

      The final document included input from the Cyber-ERM COI and federal agencies to NIST’s initial public draft.

      Attachments:

      1. NIST.IR_.8286D.pdf

    • January 19, 2024 at 4:58 pm #18122
      Nahla K. Ivy
      Participant

      Posting the new NIST SP 800-221 and accompanying SP 800-221A.

      NIST SP 800-221, Enterprise Impact of Information and Communications Technology Risk; Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio, November 2023

      NIST SP 800-221A, Information and Communications Technology (ICT) Risk Outcomes; Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio, November 2023

      These documents extend the foundational concepts established in the NIST IR 8286 Series (Parts A-D), into the broader ICT approach to risk management. Together, the IR 8286 series and the SPO 800-221 series, addresses how to better integrate cybersecurity and related ICT risks into the broader enterprise risk discussions and decisions within government agencies, private entities, and non-profit organizations.

      Attachments:

      1. NIST.SP_.800-221.pdf

      2. NIST.SP_.800-221A.pdf.pdf

  • Author
    Posts
Viewing 3 reply threads
  • You must be logged in to reply to this topic.