Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8286

Integrating Cybersecurity and Enterprise Risk Management (ERM)

Date Published: October 2020

Planning Note (08/18/2023):

In addition to this foundational document, the NIST Interagency Report (IR) 8286 Series includes:

The NIST IR 8286 series enables risk practitioners to integrate CSRM activities more fully into the broader enterprise risk processes. Because information and technology comprise some of the enterprise’s most valuable resources, it is vital that directors and senior leaders always have a clear understanding of cybersecurity risk posture. It is similarly vital that those identifying, assessing, and treating cybersecurity risk understand enterprise strategic objectives when making risk decisions.


Kevin Stine (NIST), Stephen Quinn (NIST), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)



cybersecurity risk management (CSRM); cybersecurity risk measurement; cybersecurity risk profile; cybersecurity risk register (CSRR); enterprise risk management (ERM); enterprise risk profile; risk appetite; risk tolerance
Control Families

None selected