The framework is intended for "AI actors" across all sectors and AI applications - from AI developers and deployers to procurement officials and end users. It's particularly valuable for organizations developing, deploying, or using AI systems in high-risk contexts.

What is an AI Actor?

According to the NIST AI Risk Management Framework (AI RMF), an AI actor is an individual or entity that actively participates in the AI system lifecycle, playing a role in the design, development, deployment, or use of AI systems. These actors include a wide range of stakeholders from various sectors, such as data scientists, software developers, system integrators, end-users, regulatory experts, and even impacted individuals and communities.

Examples of AI Actors:

• Technical Roles: Data scientists, data engineers, modelers, and systems integrators.
• Users and Operators: End users, system operators, and practitioners.
• Governance and Impacted Parties: Legal and privacy experts, human factors experts, socio-cultural experts, advocacy groups, and the general public.

Why the AI RMF Focuses on Actors:

• Broad Perspective: The framework recognizes that managing AI risks requires a broad set of perspectives, as AI systems are socio-technical in nature and impact individuals, organizations, and society.
• Lifecycle Involvement: AI actors are considered at every stage of the AI lifecycle, from initial data preparation and model building to deployment, operation, and the potential impact of the AI system.
• Contextual Risk Management: By including diverse AI actors, the framework encourages comprehensive risk mapping, considering potential negative impacts and ensuring responsible and trustworthy AI use.

No, it's a voluntary framework. However, it may become referenced in future regulations, procurement requirements, or industry standards. Some organizations are already incorporating it into their governance frameworks.

Former President Biden's Presidential Executive Order 14116, "Safe, Secure, and Trustworthy Development and Use of AI," drove the US Office of Management & Budget (OMB) to issue OMB Memorandum M-24-10. The memo established the binding requirements for federal agencies to manage the risks of artificial intelligence, and many agencies have aligned with the NIST AI RMF to meet those obligations. 

In 2025, however, President Trump rescinded Executive Order 14116 and its corresponding OMB memoranda M-24-10 and M-24-18 within 48 hours of taking office in January 2025. Biden's EO 14116 was replaced by Trump's own own executive order 14179, "Removing Barriers to American Leadership in Artificial Intelligence". This order set the stage for a broader policy agenda, leading to the "America's AI Action Plan" released in July 2025 along with three additional executive orders: 

1. Preventing Woke AI in the Federal Government: This order mandates that AI models procured by federal agencies must prioritize "truth-seeking" and "ideological neutrality". It specifically targets perceived biases related to "diversity, equity, and inclusion" (DEI).
2. Accelerating Federal Permitting of Data Center Infrastructure: This order aims to speed up the construction of AI data centers by fast-tracking permitting, easing environmental reviews, and using federal lands for development.
3. Promoting the Export of the American AI Technology Stack: This order establishes a program to promote the export of "full-stack" American AI technologies, including hardware and software, to allied nations.

NIST AI RMF covers a broad spectrum of risk including bias and fairness issues, privacy violations, safety risks, security vulnerabilities, transparency and explainability concerns, and broader societal impacts.

Specifically, the NIST AI RMF guides organizations to map and identify risk across the entire AI lifecycle.

To get started, the organization needs to:

1. Establish formal AI Management Function leadership, authority, and subject-matter expertise. One of the most critical first steps is to establish clear accountability and governance by defining who is responsible for managing AI risks. Organizations can create a cross-functional committee with representatives from legal, IT, compliance, and relevant business units. A team of cross-functional leaders (e.g., directors, vice presidents, officers, and managers) with sufficient organizational authority must be designated and trained to establish a formal AI governance and risk management Function/Department/Office. Optimally,the organization should even consider appointing a Chief AI Officer to lead the effort.
   • Contact us for an initial consultation to discuss team development
2. Leadership authorizes, initiates, and plans the organization's AI management system to support the organization's greater enterprise governance, risk, and compliance management.
3. The NIST AI Risk Management Framework is used to improve AI risk governance, assessment, and treatment practiced within the formal AI Management system.

The NIST Cybersecurity Framework 2.0 is the latest version of the U.S. National Institute of Standards and Technology's Cybersecurity Framework, released in February 2024, providing a universal, risk-based guide for any organization to manage cybersecurity risks. It includes a new "Govern" function and six core functions - Govern, Identify, Protect, Detect, Respond, and Recover - to guide organizations in prioritizing and communicating cybersecurity efforts. The framework offers flexible guidance and resources to help organizations improve their resilience against cybersecurity threats, regardless of their size, sector, or maturity. 

How do organizations benefit from NIST CSF 2.0?

• Manage Cybersecurity Risks: It provides a high-level taxonomy of outcomes for understanding, assessing, prioritizing, and communicating cybersecurity risks. 
• Improve Communication: The framework facilitates internal communication across all levels of an organization and improves communication with suppliers and partners. 
• Integrate Risk Management: CSF 2.0 helps integrate cybersecurity risk management with broader enterprise risk management strategies. 
• Enhance Cybersecurity Programs: It offers a voluntary, adaptable framework for implementing, maintaining, and improving cybersecurity programs. 
• Strengthen Supply Chain Security: The updated framework places a greater emphasis on supply chain security and governance. 

Who needs NIST CSF 2.0?

All Organizations: CSF 2.0 is designed for any organization that wants to improve its cybersecurity posture, including those in critical infrastructure, healthcare, finance, government, academia, and the broader private sector. 

• Small and Medium-Sized Businesses (SMBs): The framework's adaptability makes it useful for smaller organizations to align cybersecurity with business goals, build trust, and stay compliant with standards. 
• Government Agencies: Federal agencies are required to use it, and the framework helps them align with government-wide priorities and demonstrate commitment to security. 
• Enterprises of All Sizes: Whether you are a large enterprise or a nascent tech company, CSF 2.0 provides guidance for managing and mitigating cybersecurity risks effectively. 

Why do organizations need it?

• Risk-Based Approach: It helps organizations understand, assess, and prioritize their cybersecurity efforts to improve their overall security posture. 
• Flexibility: The framework is non-prescriptive and can be tailored to fit an organization's specific business objectives, resources, and risk tolerance. 
• Holistic Cybersecurity: CSF 2.0 emphasizes integrating cybersecurity into enterprise risk management and business operations, rather than treating it as a separate IT function. 
• Supply Chain Focus: The updated framework includes enhanced guidance on managing supply chain risks, a crucial aspect for organizations of all types. 
• Emerging Technology Guidance: It offers insights for securing newer technologies like artificial intelligence, IoT, and cloud computing. 

No, the NIST Cybersecurity Framework 2.0 (CSF 2.0) is not mandatory for most organizations since it is a voluntary framework offering best practices for cybersecurity risk management.

However, compliance is mandatory for U.S. federal agencies and their supply chain partners, and it may be referenced in contracts or specific industry regulations. Many organizations adopt it voluntarily to enhance their cybersecurity posture and align with industry standards.

Who needs to comply?

• U.S. Federal Agencies: Compliance is mandatory for U.S. federal government agencies, according to Executive Order 13800. 
• U.S. Federal Supply Chain Partners: Organizations that contract with federal agencies or handle government data are also required to align with the framework. 
• Other Commercial Sector Supply Chain Partners: Private businesses and organizations in any sector often adopt the framework to complyu with customer-related contract requirements.

To get started, the organization needs to:

1. Establish formal Cybersecurity Management Function leadership, authority, and subject-matter expertise. One of the most critical first steps is to establish clear accountability and governance by defining who is responsible for managing cyber risks. Organizations can create a cross-functional committee with representatives from legal, IT, compliance, and relevant business units. A team of cross-functional leaders (e.g., directors, vice presidents, officers, and managers) with sufficient organizational authority must be designated and trained to establish a formal cybersecurity governance and risk management Function/Department/Office. Optimally,the organization should even consider appointing a Chief Information Security Officer to lead the effort.
   • Contact us for an initial consultation to discuss team development
2. Leadership authorizes, initiates, and plans the organization's cybersecurity management system to support the organization's greater enterprise governance, risk, and compliance management.
3. The NIST Cybersecurity Framework is used to improve cyber risk governance, assessment, and treatment practiced within the formal information security management system.