The National Institute of Standards and Technology (NIST) announces the final publication of Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. NIST Special Publication 800-39 is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, Intelligence Community, NIST, and the Committee on National Security Systems.
NIST Special Publication 800-39, the capstone publication in the Joint Task Force publications, provides guidance to federal agencies and their contractors on how to manage information security risk associated with the operation and use of information systems. For decades, organizations have managed risk at the information system level. This information system focus provided a very narrow, stovepiped, perspective that constrained risk-based decisions by senior leaders/executives to the tactical level—devoid, in many cases, of any direct linkage or traceability to the important organizational missions/business functions being carried out by enterprises. The concentration on information systems security resulted in a focus on vulnerability management at the expense of strategic risk management applied across enterprises.