Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Next Up: Integrating Information and Communication Technology Risk Programs with Enterprise Risk Management

Celebrating 50 years of Cybersecurity at NIST

Given the increasing reliance of organizations on technologies over the past 50 years, a number of risk disciplines have evolved into full-fledged risk programs.  In recent years, cybersecurity, supply chain, and privacy risk management programs have formalized best practices.  Yet the rapid evolution of these disciplines sometimes has led to miscommunication and inefficiencies between those risk programs and overarching enterprise risk management (ERM) portfolio.  The years ahead will focus on optimizing coordination and communication between all risk programs and ERM.

To be supportive of mission and business objectives, each risk program must understand how they support the ERM portfolio.  An ERM context aggregates and normalizes organizations’ risks into risk registers and policies.  This enables government and critical infrastructure entities to quantify consequences and allocate resources commensurate with enterprise exposure and shareholder/stakeholder value.  As enterprise consequences are quantified in financial, mission and reputation metrics, similar to those attributed to other enterprise risks, they enable executives and public officials to prudently reallocate resources among all their particular competing risk types.

Figure 1: Integration of ICT Risk Management in Enterprise Risk Management

In recent years, the NIST Information Technology Laboratory (ITL) has been publishing guidance to codify risk management best practices for individual programs such as privacy, supply chain, and cybersecurity. In acknowledgement of its expansive charter and emerging technologies, ITL is broadening its risk guidance to include how all information and communication technology (ICT) risk programs integrate into ERM. This activity explains how frameworks like the Cybersecurity Framework, Privacy Framework, artificial intelligence, information systems and organizations and Cyber Supply Chain Risk Management will work together to support ERM.  Each of these ICT frameworks is representative of a risk program. Risks within, across, and in-between those programs form a mosaic of peer and interrelated ICT risks.

The ICT risk mosaic, which agencies and enterprises must navigate, is a complex adaptive system-of-systems composed of thousands of interdependent components and a myriad of channels.  These include numerous digital technologies that create, modify, process, communicate and control information as well as the application technologies.  This system-of-systems provides or assists enterprise or personal endeavors and the resultant data represents information, control signals and sensor readings.  As with other complex systems-of-systems, the interconnectedness of these technologies produces system behaviors which cannot be determined by the behavior of its individual components.  That interconnectedness causes risks that exist between risk programs and across multiple risk programs.  ITL is proceeding with a more interconnected approach to risk frameworks and programs to address this special subsect of risks.

As our systems become more complex, they present exploitable vulnerabilities, emergent risks, and system instabilities that, once triggered, can have a runaway effect with multiple, severe, often irreversible consequences.  In the contemporary enterprise, emergency and real-time circumstances can turn a relatively minor ICT-based risk into true Operational Risks that disrupt an organization’s ability to perform mission or business functions.  The upcoming ICT risk management guidance will address some of these challenges, including the notion that real-time systems bring real-time risks and need real-time resilience.

Figure 2: Interactions Between Enterprise, Organization, and System Level Risk Management

A recent NIST Interagency Report pioneers a use case of ERM integration.  The NIST IR 8286 Series of publications demonstrates how to better integrate cybersecurity with ERM.  The Series helps government and critical infrastructure entities effectively quantify, finance, and drive their cybersecurity programs commensurate with enterprise exposure, as well as shareholder and stakeholder value.  The Series acknowledges the need for ongoing bidirectional communication between ERM and risk programs recognizing that the risk disciplines both inform and receive direction from ERM.  Specifically, the communication of risk appetite statements from the ERM portfolio is a way for risk programs to better identify and monitor risks using a variety of related methods such as risk tolerance statements, key performance indicators, key risk indicators, and controls.  Similarly, the NISTIR formalizes the use of risk registers to communicate risks and risk responses between program and portfolio levels.  The series highlights industry best practices for coordination by elevating risks within an organization for oversight and escalating risks within an organization for higher level ownership.

In the upcoming months, NIST will finalize key publications within the NIST IR 8286 Series and publish guidance on how to better integrate ICT risk programs into ERM.  These publications will focus on better communication and coordination across risk programs and portfolio.  Please continue providing feedback on these important guidelines, so we can all enjoy a more effective and efficient future for risk management.

About the author

Stephen Quinn

Mr. Stephen Quinn joined the National Institute of Standards and Technology (NIST) in 2004 and serves as a senior computer scientist in the Information Technology Laboratory (ITL). Mr. Quinn is the lead author for Integrating NIST risk management project work within the paradigm of Enterprise Risk Management (ERM). He is also program manager for the National Checklist Program and the National Online Informative Reference (OLIR) programs at NIST.  He is a co-originator of the NIST Security Content Automation Protocol (SCAP).

Stephen was named to the “Federal 100” by the trade publication Federal Computer Week (FCW) and received the Department of Commence Gold Medal Award for his work in automating security protocols for applications. He also received the Federal CIO Council Leadership award for related work.

Prior to joining NIST, Steve worked in the private sector as a consultant to the Department of Defense and large commercial outsourcings with Wall Street banking firms and insurance companies. Specifically, he comes from an operational background, having owned two companies that provided service offering for vulnerability assessments, designing security architectures, code development, risk management, certifications and accreditations, and ST&Es. His research experience and practitioner experience includes managing and remediating risks specific to computer viruses/malware, intrusion detection systems (IDSs), vulnerability/misconfiguration identification, categorization, and remediation.


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.