Forum Replies Created
-
Posts
-
Posting final Federal ERM Playbook, 2021 update. Includes new Cyber-ERM Integration chapter, a direct product of the Cyber-ERM COI. Credit: 25 individuals contributed to this content, and are noted in the Playbook.
Posting the new NIST SP 800-221 and accompanying SP 800-221A.
NIST SP 800-221, Enterprise Impact of Information and Communications Technology Risk; Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio, November 2023
NIST SP 800-221A, Information and Communications Technology (ICT) Risk Outcomes; Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio, November 2023
These documents extend the foundational concepts established in the NIST IR 8286 Series (Parts A-D), into the broader ICT approach to risk management. Together, the IR 8286 series and the SPO 800-221 series, addresses how to better integrate cybersecurity and related ICT risks into the broader enterprise risk discussions and decisions within government agencies, private entities, and non-profit organizations.
Posting the Final IR 8286 Part D – Using Business Impact Analysis to Inform Risk Prioritization and Response (published November 2022).
The final document included input from the Cyber-ERM COI and federal agencies to NIST’s initial public draft.
Updates have been made to the original post to include the following recent publications:
NIST IR 8286A
NIST IR 8286B
NIST IR 8286C
NIST IR 8286D (draft)Would like to begin a thread on cyber supply chain risk management.
What approaches has your agency taken in this area?
Do you have an accountable official named for this space?
Have you reviewed NIST’s guidance in this area – NIST SP 800-161, and its most recent Version 1 Draft? If so, do any of the approaches described there resound with you as a good place to start?
