The National Institute of Standards and Technology (NIST) is set to publicly release a substantially updated version of its risk-management framework on Thursday.

NIST, a Department of Commerce non-regulatory agency that sets scientific standards, developed the framework to help agencies maintain required risk-based strategies for information technology (IT).

Ronald Ross, a NIST fellow, made the announcement Wednesday at the 8th Annual Splunk Users’ Conference in Washington, D.C.

{mosads}

Ross said many of the changes will focus on incorporating agency leadership into decision-making.

The framework is designed to be tailored at each location, including the development of agency-specific standards for personnel.

Ross said that in meeting with information-security staff, a major concern was that leadership was too removed from the process of designing the strategy, forcing the buck to stop with lower-level employees.

“That’s been one of the drivers [for updating the framework] — bringing the C-suite closer to the operational side,” he said. 

Ross said the new framework would add an “organizational step” to the process of managing risk that would bring higher-ups into decision-making processes.

Other changes to the risk-management framework will include better integration of the cybersecurity framework now required of all agencies and a new section covering privacy.