The National Institute of Standards and Technology (NIST) published a new guide, NISTIR 8170, to provide Federal agencies with different approaches to leveraging the Cybersecurity Framework to address common cyber problems.
“[NISTIR 8170 is] intended to promote more effective risk management and to encourage dialogue within and among Federal agencies,” the agency writes in the new document.
In the guidance, NIST expands on eight pieces of advice:
- Integrate enterprise and cybersecurity risk management;
- Manage cybersecurity requirements;
- Integrate and align cybersecurity and acquisition processes;
- Evaluate organizational cybersecurity;
- Manage the cybersecurity program;
- Maintain a comprehensive understanding of cybersecurity risk;
- Report cybersecurity risks; and
- Inform the tailoring process.
As of a February 2020 Government Accountability Office report, most critical infrastructure agencies struggled to implement the NIST Cybersecurity Framework because of the lack of precise measurements of improvement and the voluntary nature of the framework. NISTIR 8170 could help agencies overcome these hurdles by providing additional cybersecurity advice.
NIST also released Draft NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management, for comment yesterday. With this document, the agency hopes to ensure that cyber risks get the appropriate attention within enterprise risk management programs, according to a press release. The public comment period is open through April 20.