The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector. The RMF is one of many publications developed by the Joint Task Force (JTF).
For more information on each RMF Step, including Resources for Implementers and Supporting NIST Publications, select the Step below.
Prepare | Essential activities to prepare the organization to manage security and privacy risks |
Categorize | Categorize the system and information processed, stored, and transmitted based on an impact analysis |
Select | Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s) |
Implement | Implement the controls and document how controls are deployed |
Assess | Assess to determine if the controls are in place, operating as intended, and producing the desired results |
Authorize | Senior official makes a risk-based decision to authorize the system (to operate) |
Monitor | Continuously monitor control implementation and risks to the system |
These resources may be used by governmental and nongovernmental organizations, and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
Graphics
Quick Start Guides (QSG) for the RMF Steps
Security and Privacy: general security & privacy, privacy, risk management, security measurement, security programs & operations
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act