Understanding NIST: What All Model Risk Management (MRM) Teams Should Know

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. For decades, it has shaped standards that support security and innovation across industries, and its contributions range from foundational cybersecurity guidelines to modern approaches for managing emerging risks in AI.

To that end, organizations that rely heavily on models, like finance, insurance, and healthcare, will benefit from NIST’s frameworks. These sectors depend on models for credit scoring, fraud detection, and medical diagnostics, and as AI reliance grows, so do the risks.

By leveraging the Cybersecurity Framework (CSF 2.0), Risk Management Framework (RMF) and AI Risk Management Framework (AI RMF), MRM teams can strengthen governance and validation. These resources ensure models are compliant with regulatory requirements. To understand how these frameworks come together in practice, it helps to look at the NIST standards most relevant to MRM teams.

NIST Standards for MRM

An important aspect of NIST is that all resources are freely available, allowing organizations of all sizes to adopt world class practices without barriers. Three that stand out for MRM teams include:

Risk Management Framework (RMF, SP 800-37 Rev. 2): A structured, seven-step process for managing security and privacy risk, emphasizing preparation, supply chain considerations, and enterprise awareness.

Security and Privacy Controls (SP 800-53 Rev. 5): A comprehensive catalog of safeguards organizations can select to protect information systems.

Protecting Controlled Unclassified Information (SP 800-171 Rev. 3): Guidance for securing sensitive but unclassified information, essential in financial and healthcare.

NIST’s release of the AI RMF in 2023 broadens this base by addressing challenges unique to AI. These principles align with growing regulatory expectations around AI governance and responsible deployment. For MRM teams, these standards provide tools to limit risks, secure sensitive data, and demonstrate compliance to regulators.

CSF 2.0 and Why It Matters

Released in February 2024, CSF 2.0 expands beyond U.S. infrastructure to address the universal cybersecurity concerns of any organization. Originally there were five core functions of the framework: identify, protect, detect, respond, recover. Now, they’ve added a sixth: Govern.

This function focuses on governance, accountability, and organization. Like other regulations, NIST CSF 2.0 has also placed leadership and oversight at the center of the framework. This framework introduces over 100 new subcategories, implementation examples, and expanded supply chain guidance.

For MRM teams, CSF 2.0 provides a structure to embed cybersecurity into the model lifecycle, including securing data pipelines, integrity, model environments in case of unauthorized access, and governance practices that are in line with any requirements necessary. Each function has direct application:

1. Govern – Establishes the foundation for oversight and aligns model governance policies with regulatory requirements like SR 11-7, SS1/23, and EU AI Act, helping MRM teams. 
2. Identify – Includes catalogs of models, datasets, and dependencies. Using RMF principles, MRM teams can classify models correctly and place the right levels of control and oversight on each model
3. Protect –  Focuses on safeguarding infrastructure and models, includes encrypting training and inference data, protecting APIs, endpoints, and model intellectual property. Access management and data minimization play a key role in preventing misuse.
4. Detect – Involves continuous monitoring for cyber threats, which detect malicious inputs, and model-specific anomalies. MRM monitoring focuses on data drift, adversarial manipulation, or bias that may compromise trust in model outputs.
5. Respond – Integrates incident response plans with model failure protocols. Effective response involves containing cyber incidents, model breakdowns and model misuse. Specifically, communication with regulators, customers, and internal stakeholders. 
6. Recover – Focuses on restoring operations to normal after failures, including re-calibrating affected models and validating restored systems against compliance standards. These post-incident reviews allow MRM teams to strengthen controls and prevent recurrences.

This framework can be seen as a blueprint for safeguarding AI and machine learning models to make sure they continue to be reliable and compliant within MRM practices.  

Read our previous piece: Trust: The New AI Currency

Integrating AI RMF

CSF 2.0 and the RMF are like a foundation for cybersecurity and governance, however they do not fully address risks unique to AI. That’s where the AI RMF comes in.

Released in 2023, the AI RMF focuses on transparency, and robustness, areas that traditional frameworks often overlook. Combined with CSF 2.0 and RMF, it gives MRM teams an opportunity to improve compliance and safely integrate AI models into decision making. 

By combining CSF 2.0, RMF, and AI RMF, NIST is providing all the right tools for MRM teams; they only need to understand how to use it to their advantage. Doing that will ensure their models stay compliant, accountable, and ready to support any future innovation that gets thrown their way. 

Learn more about how your MRM team can stay compliant here.