Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Just Released! Risk Management in the Enterprise: NIST SP 800-221 & NIST SP 800-221A
November 17, 2023

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. Enterprise Risk Management (ERM) programs should consider ICT risks alongside those in other risk disciplines like financial or legal which consider the impact on mission and business objectives, strategic planning, and oversight. To aid in this endeavor, NIST is providing guidance, especially for executive decision-makers, risk officers, and those responsible for governance and risk management practices.

Today, NIST is issuing best practices on how to better integrate ICT risk programs into an overarching ERM portfolio—given special attention to coordination and communication across risk programs. These resources will help ICT risk practitioners at all levels of the enterprise and across private and public sectors to better understand and practice ICT risk management in coordination with ERM. 

These publications were developed in close collaboration with private and public sector experts. NIST appreciates and looks forward to further collaboration and feedback from the community. Questions or ideas? Reach out to us via

Related Topics

Security and Privacy: risk management

Applications: enterprise

Created November 14, 2023, Updated November 17, 2023