2 posts tagged with "NIST AI RMF"

NIST released Cybersecurity Framework 2.0 in February 2024. The major change from CSF 1.1: a new Govern function was added, making it a six-function framework (GV, ID, PR, DE, RS, RC). The Govern function addresses organizational context, risk management strategy, and cybersecurity supply chain — topics that were scattered across CSF 1.1 but are now first-class functions.

For AI agents, the new Govern function is the most directly relevant addition. It's where organizational accountability for AI systems lives.

NIST CSF is voluntary for most US organizations, but it functions as a de facto standard for:

• Federal contractors and agencies (often required by contract or policy)
• Critical infrastructure operators (energy, water, finance, healthcare)
• Organizations seeking cyber insurance
• Any company using NIST as a security baseline alongside FedRAMP or CMMC

NIST published the AI Risk Management Framework in January 2023. It's now referenced by the EU AI Act's technical standards bodies, DoD AI ethics guidelines, the Singapore MAS framework, and dozens of sector-specific AI governance documents. It's become the shared vocabulary for AI risk management — and it's voluntary, which means the organizations that implement it well get a structural advantage when regulators start asking questions.

The framework has four core functions: Govern, Map, Measure, Manage. Each maps directly to how UAPK structures AI agent governance.