Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight

Date Published: September 2022 (includes updates as of March 6, 2024)

Supersedes: IR 8286C (09/14/2022)

Planning Note (03/06/2024):

The changes made to NIST IR 8286C in this update are documented in Appendix A of the report.


Stephen Quinn (NIST), Nahla Ivy (NIST), Matthew Barrett (CyberESI Consulting Group), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)



cybersecurity risk management; cybersecurity risk measurement; cybersecurity risk register (CSRR); enterprise risk management (ERM); key performance indicator (KPI); key risk indicator (KRI); risk acceptance; risk aggregation; risk avoidance; risk conditioning; risk mitigation; risk optimization; risk prioritization; risk response; risk sharing; risk transfer
Control Families

None selected


Download URL

Supplemental Material:
See NISTIR 8286 Supplemental Material

Publication Parts:
IR 8286
IR 8286A
IR 8286B
IR 8286D

Document History:
03/06/24: IR 8286C (Final)