NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) K evin Stine Stephen Quinn Greg Witte R. K. Gardner T his publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286 NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) K evin Stine Greg Witte Applied Cybersecurity Division Huntington Ingalls Industries Information Technology Laboratory Annapolis Junction, MD St ephen Quinn R. K. Gardner Computer Security Division New World Technology Partners Information Technology Laboratory Annapolis, MD T his publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286 O ctober 2020 U. S. Department of Commerce Wilbur L. Ross, Jr., Secretary N ational Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology National Institute of Standards and Technology Interagency or Internal Report 8286 74 pages (October 2020 ) This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8286 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification i s not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications . Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications b y NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications . Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Applied Cybersecurity Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899 -8930 Email: [email protected] All comments are subject to release under the Freedom of Information Act (FOIA). NISTIR 8286 INTEGRATING CYBERSECURITY AND ERM ii This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8286 Reports on Computer S ystems Technology The Information Technology Laboratory (ITL ) at the N ationa l Institut e of Standar ds and Technol ogy (NIST ) promote s the U .S. econom y and publi c welfar e by providi ng technical leadership for the N ation’s measurement a nd stand ards in frastru cture. ITL de velops tests, t est methods, referen ce data, proof of concept i mplementations, an d technical a nalyses to a dvance the de velopme nt and producti ve use of i nformation technology. ITL’ s responsibilitie s includ e the developmen t of m anagement, administrative, technical , and physica l standar ds and guideline s for the cost-effective security a nd privacy of other than na tional security-related inf ormation in federal information systems. Abstract The increasing frequency, creativit y, and severit y of cybersecurit y attac ks m eans that all enterprise s should ensur e that cybersecurity risk i s receiving appropriat e attention within their enterpris e risk manageme nt (ERM ) programs. Thi s doc ument is intended to help individual organizations w ithin a n enterp rise improve the ir cybersecurity ris k information, w hich they