Federal AI risk management training for
NIST AI RMF 1.0.
GOVERN / MAP / MEASURE / MANAGE don't accept "we read the framework." They expect demonstrable competence in security, resilience, bias measurement, risk treatment and continuous improvement — per developer who ships AI features.
NIST AI RMF is the US federal AI risk baseline.
NIST AI Risk Management Framework 1.0 (January 2023) provides voluntary, federally-aligned guidance for AI risk management. While voluntary, it is the de facto baseline for US federal AI programs, FedRAMP-adjacent procurement, and most DoD AI deployments.
AI RMF organizes risk around four functions — GOVERN, MAP, MEASURE, MANAGE — with detailed subcategories. Developer-facing controls live primarily in MEASURE-2.7 (security and resilience) and MEASURE-2.8 (bias, fairness and drift), with treatment captured under MANAGE-2.4 and MANAGE-4.1.
AI RMF functions — and how the training covers each.
Each AI RMF subcategory is mapped to hands-on challenges and guided scenarios drawn from the OWASP LLM Top 10, OWASP Agentic AI Top 10 and Secure AI-Assisted Development tracks.
Per-developer evidence for federal AI program audits.
Every completed challenge and scenario is recorded per developer, tagged to the AI RMF subcategory and the underlying CWE. Exportable as PDF or machine-readable JSON for federal AI program reporting.
- Per-developer completion log tagged to GOVERN / MAP / MEASURE / MANAGE subcategories.
- Underlying CWE per topic — supports MEASURE-2.7 cybersecurity reporting.
- Time-stamped, signed PDF export — fits federal AI program documentation.
- Coverage dashboard rolled up to all four AI RMF functions.
Common questions from US federal AI program teams.
Is NIST AI RMF mandatory for federal contractors?
AI RMF 1.0 is voluntary at the federal level, but is referenced or required in OMB M-24-10, DoD Responsible AI Strategy, and most federal AI procurement language since 2024. Many federal-adjacent programs (FedRAMP, GovCloud customers, DIB contractors) now expect AI RMF alignment as table stakes.
Does AI RMF require developer training specifically?
Yes. GOVERN-1.1 requires defined roles and competence for AI risk management. MEASURE-2.7 requires measured security and resilience — both are difficult to evidence without hands-on developer training and per-individual records.
How does AI RMF relate to NIST 800-53 and FedRAMP?
AI RMF is the AI-specific overlay. NIST 800-53 controls (AC, AU, SC, SI families) still apply to AI systems; AI RMF adds the AI-specific risk dimensions like adversarial robustness, bias, and drift. SecureCodingHub evidence supports both surface areas.
What about NIST AI 600-1 (GenAI Profile)?
NIST AI 600-1 is the Generative AI Profile of AI RMF, published July 2024. It refines MEASURE and MANAGE for GenAI specifically — prompt injection, training data integrity, hallucination, output integrity. Our OWASP LLM Top 10 track maps directly.
Can we use this for DoD or IC AI deployments?
Yes. DoD's Responsible AI Strategy and IC's AI Ethics Framework both reference AI RMF as the technical baseline. Per-developer evidence with framework-mapped roll-up is exactly the type of documentation those programs expect.
Can we run this alongside our EU AI Act and ISO 42001 programs?
Yes — the same training catalog satisfies AI RMF, EU AI Act Articles 9–15, and ISO 42001 Annex A. One training, three frameworks covered.
Federal AI procurement is asking about AI RMF alignment now.
30 minutes with our team. We'll walk through the AI RMF mapping, show you the per-developer evidence export, and how SSO and SCIM light up for your IdP.