Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Risk Management Projects/Programs

Risk Management Framework 
The selection and specification of security and privacy controls for a system is accomplished as part of an organization-wide information security and privacy program that involves the management of organizational risk---that is, the risk to the organization or to individuals associated with the operation of a system. The Risk Management Framework provides a process that integrates security, privacy and risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. 
 
Cyber Supply Chain Risk Management 
Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.

Privacy Engineering
The NIST privacy engineering program (PEP) supports the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties.

Protecting Controlled Unclassified Information
The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, and SP 800-171B) focuses on protecting the confidentiality of CUI, and recommends specific security requirements to achieve that objective. It does not change the information security requirements set forth in Federal Information System Modernization Act (FISMA), nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST.

News and Updates

Publications

Case Studies in Cyber Supply Chain Risk Management: Mayo Clinic

Author(s)
Jon M. Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are leaders in managing cyber supply chain risk. These case