The National Institute of Standard and Technology published NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework featuring examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices.
The examples include support for an Enterprise Risk Management (ERM) approach in alignment with Office of Management and Budget (OMB) and the Federal Information Security Modernization Act (FISMA) requirements so that agency heads can “manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a federal information system or federal information,” NIST reported.
NIST recommended use of the “Cybersecurity Framework’s components should enable discussion about the various types of risk that might occur within federal organizations and promote conversations about how to determine the likelihood and potential consequences of risk events.” Further, these activities can then be combined with those described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations; SP 800-39, Managing Information Security Risk; and other guidelines to form a comprehensive risk-based approach for security and privacy.
”This risk-based approach will assist agencies in determining the risks that are relevant to its mission throughout the operational lifecycle and apply an appropriate type and degree of resources to treat those risks to an acceptable level. Examples in this publication demonstrate the use of the Cybersecurity Framework, the NIST Risk Management Framework (RMF), and other models to evaluate and report agency goals and progress and to inform tailoring activities for managing cybersecurity risk appropriately. Use of a comprehensive cybersecurity risk-based approach, as demonstrated through these examples, supports agencies’ activities to meet their concurrent obligations to comply with the requirements of FISMA and Executive Order (EO) 13800,” NIST said in a release.
NISTIR 8170 (DOI)
Laws and Regulations
Executive Order 13636
Federal Information Security Modernization Act