NIST updates Risk Management Framework

The National Institute of Standards and Technology is updating its Risk Management Framework to help public- and private-sector organizations better protect critical infrastructure and individuals' privacy.  

The new version addresses how organizations can assess and manage risks to their data and systems by focusing on protecting individuals' personally identifiable information. Information security and privacy programs share responsibility for managing risks from unauthorized system activities or behaviors, the draft states, making their goals complementary and coordination essential.

The draft update also ties the risk framework more closely to the Cybersecurity Framework.

“Until now, federal agencies had been using the RMF and CSF separately,” NIST Fellow Ron Ross, one of the publication’s authors, wrote in a May 9 blog post. “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF.”

While the frameworks are optional for the private sector, federal agency compliance with the RMF became mandatory under the Federal Information Security Modernization Act of 2014. Agencies were also directed to comply with the CSF under a May 2017 executive order.  

The updated RMF also makes other changes:

  • Integrating security and privacy into systems development.
  • Connecting senior leaders to operations to better prepare for RMF execution.
  • Incorporating supply chain risk management considerations.
  • Supporting security and privacy safeguards from NIST’s Special Publication 800-53 Revision 5.

NIST is accepting comments on the draft until June 22.  The new version of the RMF can be found here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected