NIST Revises Publications on Integrating Cybersecurity and Enterprise Risk Management

Integrating Cybersecurity and Enterprise Risk Management: Three Revised NIST IR 8286 Publications Now Available!

The NIST Interagency Report (IR) 8286 series helps practitioners understand the critical connection between cybersecurity and enterprise risk management (ERM). Recent updates to three publications in the series align more closely with the NIST Cybersecurity Framework (CSF) 2.0 and other NIST guidance, placing greater emphasis on cybersecurity governance to ensure that cybersecurity capabilities effectively support broader organizational missions through ERM. View the three finalized publications:    

• NIST IR 8286 Revision 1, Integrating Cybersecurity and Enterprise Risk Management, outlines how cybersecurity risk management (CSRM) activities can be integrated into enterprise risk management (ERM) processes, enabling organizations to align cybersecurity decisions with broader strategic objectives and fiduciary responsibilities. 
• NIST IR 8286A Revision 1, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, provides detailed guidance on identifying cybersecurity risks, estimating their likelihood and impact, and documenting them through cybersecurity risk registers (CSRRs) to support enterprise-level risk analysis and communication. 
• NIST IR 8286C Revision 1, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, describes how to aggregate and harmonize cybersecurity risk data across the enterprise, enabling senior leaders to monitor risk objectives, adjust strategies, and maintain awareness of both threats and opportunities within the enterprise risk portfolio. 

See NIST IR 8286r1 to view the entire 8286 series.



If you have any questions related to the 8286 series, the CSF site, or would like to share publicly available CSF 2.0 resources with our library, please email the team at csf [at] nist.gov (csf[at]nist[dot]gov).