Cyber Risk Management and Compliance

Cyber risk management is a set of recommended methods and processes for bounding, assessing, and continually mitigating risks to information and information systems.

Detailed guidance on cyber risk management for federal systems is in the National Institute of Standards and Technology's (NIST) Special Publication (SP) 800-39, Managing Information Security Risk. Guidance to federal agencies on using cyber risk management is in NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems. Guidance for assessing risk is in NIST SP 800-30, Guidance for Conducting Risk Assessments.

Information systems (ISs) are subject to cyber risk, and so should be designed and managed in ways that mitigate the effects of cyber risks. Cyber risk management is the objective of many NIST publications, whose language and methods are formulated to be consistent with international standards such as ISO/IEC 27005, "Information Technology -- Security Techniques -- Information Security Risk Management." Consideration of ISs as a framework, and identifying "framing" as the initial risk management step, the guidance aims to protect the entire IS enterprise of discovery, definition, design, development and implementation, as originally outlined in the Information Assurance Technical Framework (IATF) published by the National Security Agency.

Because software applications and information assets (IS refers to both) have great value in our society, the US government, in partnership with other like-minded (several European and Australian) governments and private organizations (e.g., ISO/IEC), created risk management frameworks such as those identified above and recommends compliance to protect ISs and related assets while retaining organizations' autonomy. Companies and nonfederal organizations embrace these frameworks either to comply with requirements or on a voluntary basis, to enhance their products and services offerings. An example of a US federal compliance program to mitigate cyber risk to commercially provided cloud implementations is the US Federal Risk and Authorization Management Program (FedRAMP) at https://www.fedramp.gov/.