Sharing is caring!

RMF: The Basics

The risk management framework (RMF) is designed to help organizations understand the risks to their information and information systems and manage those risks in order to maintain their security. The RMF helps organizations identify, assess, protect and monitor their information and information systems. It also helps organizations determine how well they are managing risk. NIST provides a variety of resources for implementing the RMF including guidance on developing an authorization to operate (ATO) process, which is needed for many federal agencies. The RMF defines the different steps that an organization can take in order to manage the risks associated with their information systems.


NIST SP 800-37 The Risk Management Framework Steps

The RMF consists of six phases:

Step 0- Preparation

Essential activities to prepare the organization to manage security and privacy risks

Step 1- Categorize

Categorize the system and information processed, stored, and transmitted based on an impact analysis

Step 2- Select

Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)

Step 3- Implement

Implement the controls and document how controls are deployed

Step 4- Assess

Assess to determine if the controls are in place, operating as intended, and producing the desired results

Step 5- Authorize

Senior official makes a risk-based decision to authorize the system (to operate)

Step 6- Monitor

Continuously monitor control implementation and risks to the system


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *