U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

ITL Bulletin

The Next Generation Risk Management Framework (RMF 2.0): A Holistic Methodology to Manage Information Security, Privacy and Supply Chain Risk

Date Published: February 2019


Victoria Pillitteri (NIST)



authorization to operate; authorization to use; authorizing official; continuous monitoring; information security; ongoing authorization; plan of action and milestones; privacy; privacy plan; privacy risk; risk assessment; risk executive function; risk management; risk management framework; security; security assessment report; security engineering; security plan; security risk; supply chain risk management; system development life cycle
Control Families

Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment


February 2019 ITL Bulletin (pdf)

Supplemental Material:
None available

Related NIST Publications:
SP 800-37 Rev. 2

Document History:
02/28/19: ITL Bulletin (Final)