NIST to release overhauled risk management framework Thursday


The National Institute of Standards and Technology (NIST) is set to publicly release a substantially updated version of its risk-management framework on Thursday.

NIST, a Department of Commerce non-regulatory agency that sets scientific standards, developed the framework to help agencies maintain required risk-based strategies for information technology (IT).

Ronald Ross, a NIST fellow, made the announcement Wednesday at the 8th Annual Splunk Users’ Conference in Washington, D.C.


Ross said many of the changes will focus on incorporating agency leadership into decision-making.

The framework is designed to be tailored at each location, including the development of agency-specific standards for personnel.

Ross said that in meeting with information-security staff, a major concern was that leadership was too removed from the process of designing the strategy, forcing the buck to stop with lower-level employees.

“That’s been one of the drivers [for updating the framework] — bringing the C-suite closer to the operational side,” he said. 

Ross said the new framework would add an “organizational step” to the process of managing risk that would bring higher-ups into decision-making processes.

Other changes to the risk-management framework will include better integration of the cybersecurity framework now required of all agencies and a new section covering privacy. 

Tags NIST Ronald Ross

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

See all Hill.TV See all Video

Most Popular

Load more


See all Video