2nd Draft NIST IR 8286A 1 Identifying and Estimating 2 Cybersecurity Risk for Enterprise Risk 3 Management (ERM) 4 5 Kevin Stine 6 Stephen Quinn 7 Nahla Ivy 8 Larry Feldman 9 Greg Witte 10 R. K. Gardner 11 12 13 14 15 This publication is available free of charge from: 16 https://doi.org/10.6028/ NIST.IR.8286A -draft2 17 18 19 20 2nd Draft NISTIR 8286A 21 Identifying and Estimating 22 Cybersecurity Risk for Enterprise Risk 23 Management (ERM) 24 25 Kevin Stine Larry Feldman 26 Applied Cybersecurity Division Greg Witte 27 Information Technology Laboratory Huntington Ingalls Industries 28 Annapolis Junction, MD 29 30 Stephen Quinn R. K. Gardner 31 Computer Security Division New World Technology Partners 32 Information Technology Laboratory Annapolis, MD 33 34 Nahla Ivy 35 Enterprise Risk Management Office 36 Office of Financial Resource Management 37 38 39 This publication is available free of charge from: 40 https://doi.org/10.6028/ NIST.IR.8286A -draft2 41 42 July 2021 43 44 45 46 U.S. Department of Commerce 47 Gina M. Raimondo, Secretary 48 49 National Institute of Standards and Technology 50 James K. Olthoff, Performing the Non -Exclusive Functions and Duties of the Under Secretary of 51 Commerce for Standards and Technology & Director, National Institute of Standards and Technology 52 National Institute of Standards and Technology Interagency or Internal Report 8286A 53 60 pages ( July 2021) 54 This publication is available free of charge from: 55 https://doi.org/10.6028/ NIST.IR.8286A -draft2 56 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 57 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 58 endorsement by NIST, nor is it inte nded to imply that the entities, materials, or equipment are necessarily the best 59 available for the purpose. 60 There may be references in this publication to other publications currently under development by NIST in accordance 61 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 62 may be used by federal agencies even before the completion of such companion publications. Thus, until each 63 publication is completed, current requirement s, guideline s, and procedures, where they exist, remain operative. For 64 planning and transition purposes, federal agencies may wish to closely follow the development of these new 65 publications by NIST. 66 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 67 NIST. Many NIST cybersecurity publications , ot her than the ones noted above, are available at 68 https://csrc.nist.gov/publications . 69 Public comment period: July 6 through August 6, 2021 70 National Institute of Standards and Technology 71 Attn: Applied Cybers ecurity Division, Information Technology Laboratory 72 100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899 -2000 73 Email: [email protected] 74 All comments are subject to release under the Freedom of Information Act (FOIA). 75 NISTIR 8286A (2ND DRAFT) IDENTIFYING AND ESTIMATING CYBERSECURITY RISK FOR ENTERPRISE RISK MANAGEMENT (ERM) ii Reports on Computer Systems Technology 76 The Information Technology Laboratory (ITL) at the National Institute of Standards and 77 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 78 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 79 methods, refere nce data, proof of concept implementations, and technical analyses to advance the 80 development and productive use of information technology. ITL’s responsibilities include the 81 development of management, administrative, technical, and physical st