AFERM EXPERTS SAY...

Version 1.1 of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, released in July 2018, makes it much easier for CROs and Chief Information Officers (CIO) to align the cybersecurity framework with the agency’s ERM program.  Revised definitions and the introduction of various terms (e.g., risk tolerance) makes the NIST framework align more closely with existing ERM terminology and approaches.  Additionally, Version 1.1 explicitly acknowledges that the NIST framework is not intended to be rigidly applied, but instead, tailored to the needs and environment of the organization.  As stated on page vi, “The decision about how to apply it is left to the implementing organization.”  The greater compatibility with ERM and the flexibility and encouragement to tailor both risk management efforts to the organization provide the basis for integrating cybersecurity within the broader ERM framework.  Figure 2 on page 12 shows an example of how the NIST framework integrates with overall agency risk management efforts.  The revised framework can be found here.