NIST has released, in final form, Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View.
NIST describes SP 800-39 as “the capstone publication in the Joint Task Force publications, provides guidance to federal agencies and their contractors on how to manage information security risk associated with the operation and use of information systems. For decades, organizations have managed risk at the information system level. This information system focus provided a very narrow, stovepiped, perspective that constrained risk-based decisions by senior leaders/executives to the tactical level—devoid, in many cases, of any direct linkage or traceability to the important organizational missions/business functions being carried out by enterprises. The concentration on information systems security resulted in a focus on vulnerability management at the expense of strategic risk management applied across enterprises.”
Attached below is the final version of NIST SP 800-39. Also attached is NIST’s news release on the document.