Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Overview

Risk Management Projects/Programs

Risk Management Framework 
The selection and specification of security and privacy controls for a system is accomplished as part of an organization-wide information security and privacy program that involves the management of organizational risk---that is, the risk to the organization or to individuals associated with the operation of a system. The Risk Management Framework provides a process that integrates security, privacy and risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. 
 
Cyber Supply Chain Risk Management 
Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.

Privacy Engineering
The NIST privacy engineering program (PEP) supports the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties.

Protecting Controlled Unclassified Information
The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, and SP 800-171B) focuses on protecting the confidentiality of CUI, and recommends specific security requirements to achieve that objective. It does not change the information security requirements set forth in Federal Information System Modernization Act (FISMA), nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST.

Selected Publications

SP 800-53 Rev. 5:  Security and Privacy Controls for Information Systems and Organizations

Special Publication 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View 

Special Publication 800-30 Rev. 1: Guide for Conducting Risk Assessments 

Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans 

Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations 

News

Image of a chain with possible single point of failure

NIST Shares Key Practices in Cyber Supply Chain Risk Management Based on Observations from Industry

An off-road vehicle on a hill is seen below a map of territory, which is surrounded by a compass, a clock and a satellite.

NIST Finalizes Cybersecurity Guidance for Positioning, Navigation and Timing Systems

A traditional lock, surrounded by a circle of text "cyber security" repeated over and over again, with a black/teal background

Propelling Cyber Technologies Forward