More than ever, organizations must balance a rapidly evolving cybersecurity and privacy threat landscape against the need to fulfill business requirements on an enterprise level. Risk management underlies everything that NIST does in cybersecurity and privacy and is part of its full suite of standards and guidelines. To help organizations to specifically measure and manage their cybersecurity risk in a larger context, NIST has teamed with stakeholders in each of these efforts. Examples include:
- Integrating Cybersecurity and Enterprise Risk Management (ERM) (NISTIR 8286] promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches. The increasing frequency, creativity, and variety of cybersecurity attacks means that all enterprises should ensure cybersecurity risk receives the appropriate attention along with other risk disciplines – legal, financial, etc. – within their ERM programs. This document helps cybersecurity risk management practitioners at all levels of the enterprise, in private and public sectors, to better understand and practice cybersecurity risk management within the context of ERM. Through the use of an organizing construct of a risk register, enterprises and their component organizations can better identify, assess, communicate, and manage their cybersecurity risks in the context of their stated mission and business objectives using language and constructs already familiar to senior leaders. Follow-on documents are in progress. NIST risk management disciplines are being integrated under the umbrella of ERM, and additional guidance is being developed to support this integration.
- The NIST Cybersecurity Framework (CSF) helps organizations to understand their cybersecurity risks (threats, vulnerabilities and impacts) and how to reduce those risks with customized measures. Initially intended for U.S. private-sector owners and operators of critical infrastructure, the voluntary Framework’s user base has grown dramatically across the nation and globe. The Framework integrates industry standards and best practices. It provides a common language that allows staff at all levels within an organization – and at all points in a supply chain – to develop a shared understanding of their cybersecurity risks. NIST worked with private-sector and government experts to create the Framework. Congress ratified it as a NIST responsibility in the Cybersecurity Enhancement Act of 2014 and a 2017 Executive Order directed federal agencies to use the Framework. The CSF’s five functions are used by the Office of Management and Budget (OMB), the Government Accountability Office (GAO), and many others as the organizing approach in reviewing how organizations assess and manage cybersecurity risks.
- The Risk Management Framework (RMF) provides a flexible and tailorable seven-step process that integrates cybersecurity and privacy, along with supply chain risk management activities, into the system development life cycle. The NIST RMF links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA), including control selection, implementation, assessment, and continuous monitoring. NIST updated the RMF to support privacy risk management and to incorporate key Cybersecurity Framework and systems engineering concepts. Originally targeted at federal agencies, today the RMF is also used widely by state and local agencies and private sector organizations.
- The Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management was modeled after the NIST Cybersecurity Framework to enable organizations to use them together to manage cybersecurity and privacy risks collectively. This tool helps organizations to understand how their data processing activities may create privacy risks for individuals and provides the building blocks for the policies and technical capabilities necessary to manage these risks and build trust in their products and services while supporting compliance obligations. The framework provides a common language that allows staff at all levels within an organization – and throughout the data processing ecosystem – to develop a shared understanding of their privacy risks. NIST developed the voluntary framework in an open and public process with private-sector and public-sector experts.
- Cybersecurity Supply Chain Risk Management (C-SCRM) helps organizations to manage the increasing risk of supply chain compromise related to cybersecurity, whether intentional or unintentional. These aspects of the supply chain include information technology (IT), operational technology (OT), Communications, Internet of Things (IoT), and Industrial IoT. NIST collaborates with public and private sector stakeholders to research and develop C-SCRM tools and metrics, producing case studies and widely used guidelines on mitigation strategies. NIST also convenes stakeholders to assist organizations in managing these risks.
- The Workforce Framework for Cybersecurity (NICE Framework) provides a common lexicon for describing cybersecurity work. People are the primary attack vector for cybersecurity threats and managing human risks is key to strengthening an organization’s cybersecurity posture. The NICE Framework provides a set of building blocks that enable organizations to identify and develop the skills of those who perform cybersecurity work. It further helps learners explore cybersecurity work opportunities and engage in relevant learning activities to develop the knowledge and skills necessary to be job-ready.