The National Institute of Standards and Technology is asking for public comments on a new report that provides insight into how organizations can integrate cybersecurity into enterprise risk management.
The document, titled “NIST-Interagency Report 8286 Integrating Cybersecurity and Enterprise Risk Management,” advises organizations on how to improve the cybersecurity risk information they use to shape their enterprise risk management program.
“This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing,” NIST officials wrote.
The report suggests that communications about cybersecurity risk need be had between systems’ cybersecurity professionals, organizations’ high-level executives and the enterprises’ corporate leaders. By doing so, NIST wrote that the enterprise and system owners will all have a better idea of how to identify, assess and manage cybersecurity risk in relation to business missions.
“All enterprises should ensure cybersecurity risk gets the appropriate attention within their enterprise risk management (ERM) programs, which address all types of risk," NIST wrote in an announcement. "Individual organizations within an enterprise can improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM processes. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.”
The report will also help high-level executives and corporate leaders understand the difficulties cybersecurity professionals have in communicating information needed to create risk assessments, as well as help cybersecurity leaders understand what information high-level officials need.
The draft document release comes as many Americans are working from home to limit social interactions as the new coronavirus continues to spread in the United States. Experts say mass telework introduces significant cybersecurity risk into networks.
Earlier in the week, NIST released the final draft of Special Publication 800-53 (its fifth revision), after an extended delay caused by an extended review by the Office of Management and Budget. The release will likely lead to a spike in released NIST publications because of a large backlog of documents that the organization couldn’t release until the final draft was out because several security controls in forthcoming documents refer back to the newest SP800-53 draft.
Comments on NISTIR-8286 are due April 20 and can be emailed to [email protected].
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.