NISTIR 8286 INTEGRATING CYBERSECURITY AND ERM
ii
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance
the development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems.
Abstract
The increasing frequency, creativity, and severity of cybersecurity attacks means that all
enterprises should ensure that cybersecurity risk is receiving appropriate attention within their
enterprise risk management (ERM) programs. This document is intended to help individual
organizations within an enterprise improve their cybersecurity risk information, which they
provide as inputs to their enterprise’s ERM processes through communications and risk
information sharing. By doing so, enterprises and their component organizations can better
identify, assess, and manage their cybersecurity risks in the context of their broader mission and
business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this
document explains the value of rolling up measures of risk usually addressed at lower system
and organization levels to the broader enterprise level.
Keywords
cybersecurity risk management (CSRM); cybersecurity risk measurement; cybersecurity risk
profile; cybersecurity risk register (CSRR); enterprise risk management (ERM); enterprise risk
register (ERR); enterprise risk profile; risk appetite; risk tolerance.
Acknowledgments
The authors wish to thank all individuals, organizations, and enterprises that contributed to the
creation of this document. This includes Donna Dodson, Nahla Ivy, Naomi Lefkovitz, Amy
Mahn, Rodney Petersen, Victoria Yan Pillitteri, Ron Ross, and Adam Sedgewick of NIST; Larry
Feldman, Heather Mills, Matthew Smith, and Daniel Topper of Huntington Ingalls Industries;
Mat Heyman of Impresa Management Solutions; and Karen Scarfone of Scarfone Cybersecurity.
Organizations and individuals who provided feedback on the public comment drafts include:
Aon; the Association of Local Government Auditors; Paul Barham, Pat Nolan, Michael Vallone,
and Christopher White of Booz Allen Hamilton; Consortium for Information and Software
Quality; P. Bevill, G. Celestin, J. Chua, M. Creary, E. Flaim, K. Francis, C. Gordon, K. Isaac, C.
Livingston, M. Merritt, M. Nighswander, K. Pannah, J. Prutow, and N. Rohloff of the Cyber-
ERM Community of Interest; FAIR Institute; Forescout Technologies; Adam Bobrow of
Foresight Resilience Strategies; the IT Risk Management Team of the Internal Revenue Service,
Larry Clinton of the Internet Security Alliance; Gerald Beuchelt and Christine Wachter of
LogMeIn; Mosaic 451; Alex Krutov of Navigation Advisors; Ismael Garcia of the Nuclear
Regulatory Commission; Kelly Hood and Tom Conkle of Optic Cyber Solutions; John Kimmins
of Palindrome; Profitabil-IT; Dick Brooks of Reliable Energy Analytics; Jack Freund of
RiskLens; Marshall Toburen of RSA Security; Paul Rohmeyer of Stevens Institute of
Technology; The Open Group; Rob Arnold of Threat Sketch; Ashley P. Moore, and Nnake
Nweke of the U.S. Agency for Global Media; U.S. Air Force; U.S. Department of Defense; U.S.