Integrating Cybersecurity and Enterprise Risk Management: Three Updated NIST IR 8286 Publications Now Available

The NIST Interagency Report (IR) 8286 series helps practitioners understand the critical connection between cybersecurity and enterprise risk management (ERM). Recent updates to three publications in the series align more closely with the NIST Cybersecurity Framework (CSF) 2.0 and other NIST guidance, placing greater emphasis on cybersecurity governance to ensure that cybersecurity capabilities effectively support broader organizational missions through ERM. View the three finalized publications:    

• NIST IR 8286 Revision 1, Integrating Cybersecurity and Enterprise Risk Management, outlines how cybersecurity risk management (CSRM) activities can be integrated into enterprise risk management (ERM) processes, enabling organizations to align cybersecurity decisions with broader strategic objectives and fiduciary responsibilities. 

• NIST IR 8286A Revision 1, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, provides detailed guidance on identifying cybersecurity risks, estimating their likelihood and impact, and documenting them through cybersecurity risk registers (CSRRs) to support enterprise-level risk analysis and communication. 

• NIST IR 8286C Revision 1, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, describes how to aggregate and harmonize cybersecurity risk data across the enterprise, enabling senior leaders to monitor risk objectives, adjust strategies, and maintain awareness of both threats and opportunities within the enterprise risk portfolio. 

NIST Cybersecurity and Privacy Program
Questions and comments can be directed to: nistir8286@nist.gov 
CSRC Website questions: csrc-inquiry@nist.gov