Governance Briefing — NIST publishes draft NISTIR 8286 on integrating cybersecurity with ERM

Executive briefing: NIST issued the initial public draft of NISTIR 8286 on 27 February 2020, proposing a repeatable process for integrating cybersecurity risk assessments, risk registers, and treatment plans into enterprise risk management.

What changed

• Introduces a Cybersecurity Risk Register aligned with ERM risk registers, enabling consistent aggregation and prioritization.
• Defines roles for governance bodies, risk executives, and system owners to ensure cybersecurity risks are managed alongside financial and operational risks.
• Maps outputs from cybersecurity frameworks (e.g., NIST CSF) into ERM processes such as risk appetite statements and portfolio views.
• Requests public comment to refine the integration model ahead of a final publication.

Why it matters

• Provides structure for presenting cyber risks in business terms, improving board visibility and resource prioritization.
• Supports consistent treatment and reporting of cyber risks across business units, vendors, and technology portfolios.
• Aligns control implementation and monitoring activities with enterprise risk appetite and tolerance thresholds.

Action items for operators

• Crosswalk existing risk registers and CSF assessments to the NISTIR 8286 templates; identify gaps in ownership, metrics, and escalation paths.
• Engage ERM and internal audit teams to incorporate cybersecurity risk scenarios into enterprise risk reviews and capital planning.
• Provide comments to NIST on the draft if your organization has unique integration requirements or lessons from prior ERM alignment efforts.