Article TR-2. Safe

1 obligation

NIST-RMF-TR-2-05 Documentation

Explanation and documentation of risks based on empirical evidence

Provide explanation and documentation of risks supported by empirical evidence of incidents to improve safe operation

Article GV-1. Policies, Processes, Procedures, and Practices

2 obligations

NIST-RMF-GV-1-01 Documentation

Understand, manage, and document AI legal and regulatory requirements

Organizations must understand, actively manage, and maintain documentation of all legal and regulatory requirements that

NIST-RMF-GV-1-06 Documentation

Implement AI system inventory mechanisms

Organizations must establish mechanisms to inventory AI systems and ensure these mechanisms are adequately resourced acc

Article GV-2. Accountability Structures

1 obligation

NIST-RMF-GV-2-01 Documentation

Document roles, responsibilities and communication lines for AI risk management

Organizations must document and clearly communicate roles and responsibilities and lines of communication related to map

Article GV-4. Organizational Culture of AI Risk

1 obligation

NIST-RMF-GV-4-02 Documentation

Document AI Technology Risks and Impacts

Organizational teams must document the risks and potential impacts of the AI technology they design, develop, deploy, ev

Article MP-1. Context is Established and Understood

3 obligations

NIST-RMF-MP-1-01 Documentation

Document intended purposes and deployment context

Organizations must understand and document the intended purposes, potentially beneficial uses, context-specific laws, no

NIST-RMF-MP-1-04 Documentation

Document organizational mission and AI technology goals

Organizations must understand and document their mission and relevant goals for AI technology.

NIST-RMF-MP-1-06 Documentation

Determine and document organizational risk tolerances

Organizations must determine and document their risk tolerances related to AI systems.

Article MP-2. Categorization of the AI System

4 obligations

NIST-RMF-MP-2-02 Documentation

Define AI System Tasks and Implementation Methods

Organizations must define and document the specific tasks that the AI system will support and the methods used to implem

NIST-RMF-MP-2-03 Documentation

Document AI System Knowledge Limits and Human Oversight Information

Organizations must document information about the AI system's knowledge limits and how system output may be utilized and

NIST-RMF-MP-2-05 Documentation

Identify and Document Scientific Integrity Considerations

Organizations must identify and document scientific integrity considerations, including those related to experimental de

NIST-RMF-MP-2-06 Documentation

Identify and Document TEVV Considerations

Organizations must identify and document Testing, Evaluation, Validation and Verification (TEVV) considerations, includi

Article MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs

2 obligations

NIST-RMF-MP-3-01 Documentation

Document potential benefits of AI system functionality and performance

Organizations must examine and document the potential benefits of their intended AI system functionality and performance

NIST-RMF-MP-3-03 Documentation

Specify and document targeted application scope based on system capability

Organizations must specify and document the targeted application scope based on the AI system's capability, established

Article MP-4. Third-Party Component Risks and Benefits

1 obligation

NIST-RMF-MP-4-05 Documentation

Document internal risk controls for AI system components

Organizations must create and maintain comprehensive documentation of all internal risk controls established for managin

Article MP-5. Impact Characterization

2 obligations

NIST-RMF-MP-5-01 Documentation

Document likelihood and magnitude of identified impacts

Organizations must identify and document the likelihood and magnitude of each identified impact (both potentially benefi

NIST-RMF-MP-5-04 Documentation

Document engagement practices and personnel assignments

Organizations must document both the practices and personnel arrangements for supporting regular engagement with relevan

Article MS-1. Appropriate Methods and Metrics

1 obligation

NIST-RMF-MS-1-02 Documentation

Document risks that cannot or will not be measured

Organizations must properly document any risks or trustworthiness characteristics that will not be measured or cannot be

Article MS-2. Trustworthy Characteristics Evaluation

9 obligations

NIST-RMF-MS-2-01 Documentation

Document TEVV Test Sets, Metrics, and Tools

Organizations must document test sets, metrics, and details about the tools used during Testing, Evaluation, Validation,

NIST-RMF-MS-2-04 Documentation

Document Performance and Assurance Measures

Organizations must document the measures used to evaluate AI system performance or assurance criteria.

NIST-RMF-MS-2-07 Documentation

Document Generalizability Limitations

Organizations must document limitations of the generalizability of the AI system beyond the conditions under which the t

NIST-RMF-MS-2-12 Documentation

Document Security and Resilience Evaluation Results

Organizations must document the results of AI system security and resilience evaluations.

NIST-RMF-MS-2-14 Documentation

Document Transparency and Accountability Risk Analysis

Organizations must document the examination of risks associated with transparency and accountability.

NIST-RMF-MS-2-18 Documentation

Document Privacy Risk Examination

Organizations must document the examination of privacy risks of the AI system.

NIST-RMF-MS-2-20 Documentation

Document Fairness and Bias Evaluation Results

Organizations must document the results of fairness and bias evaluations.

NIST-RMF-MS-2-22 Documentation

Document Environmental Impact and Sustainability Assessment

Organizations must document the assessment of environmental impact and sustainability of AI model training and managemen

NIST-RMF-MS-2-24 Documentation

Document TEVV Effectiveness Evaluation

Organizations must document the evaluation of the effectiveness of employed TEVV metrics and processes.

Article MS-4. Measurement Efficacy Feedback

3 obligations

NIST-RMF-MS-4-02 Documentation

Document AI Risk Measurement Approaches

Organizations must document their measurement approaches for identifying AI risks that are connected to deployment conte

NIST-RMF-MS-4-04 Documentation

Document AI System Trustworthiness Measurement Results

Organizations must document measurement results regarding AI system trustworthiness in deployment contexts and across th

NIST-RMF-MS-4-06 Documentation

Document Performance Changes and Risk Data

Organizations must document identified measurable performance improvements or declines that are based on stakeholder con

Article MG-1. Risk Prioritization and Response

1 obligation

NIST-RMF-MG-1-04 Documentation

Negative Residual Risk Documentation for Downstream Parties

Organizations must document all negative residual risks (the sum of all unmitigated risks) that affect both downstream a

Article MG-2. Strategies for Benefits and Impact Management

1 obligation

NIST-RMF-MG-2-01 Documentation

Develop and Document AI Benefits and Impact Management Strategies

Organizations must plan, prepare, implement, and document comprehensive strategies to maximize AI benefits and minimize

Article MG-4. Risk Treatment and Communication Plans

2 obligations

NIST-RMF-MG-4-01 Documentation

Document and monitor risk treatment and communication plans

Organizations must create written documentation of risk treatments (including response and recovery measures) and commun

NIST-RMF-MG-4-05 Documentation

Follow and document incident and error tracking, response, and recovery processes

Organizations must establish, follow, and document processes for tracking, responding to, and recovering from incidents