September 5, 2023

The NIST Risk Management Framework (RMF) is a set of processes all federal agencies must use to identify, implement, assess, manage, and monitor cybersecurity capabilities and services to find, eliminate, and mitigate ongoing risks in new and legacy systems. Developed by a Joint Task Force (JTF) that included the National Institute for Standards and Technology (NIST), the United States Intelligence Community (IC), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), the NIST RMF replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP). 

The NIST RMF brings a risk-based approach to cybersecurity implementations that begins early in system lifecycles by integrating security, privacy, and cyber supply chain risk management. The NIST RMF drives risk-based considerations into the control selection and specification and focuses on effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, and regulations. 

Five components comprise the NIST RMF: Identification, Measurement and Assessment, Mitigation, Reporting and Monitoring, and Governance.  

1. Identification 
The NIST RMF begins with identifying the risks across an organization, such as legal, privacy, and strategic risks. This component of the NIST RMF needs to be conducted regularly as risk landscapes change. 

2. Measurement and assessment 
The measurement and assessment component guides the development of risk profiles for the risks that are identified. 

3. Mitigation 
With the NIST RMF, risk mitigation involves reviewing the risks that are identified to determine the severity. In some cases, risks are acceptable and do not require any action. Other risks should be mitigated, and still others may require elimination.   

4. Reporting and monitoring 
The NIST RMF includes processes for sharing information about risks and regular evaluations of risks to identify any changes that warrant additional action.   

5. Governance 
With its risk governance component, the NIST RMF ensures that risk management elements have been implemented and risk-related policies are enforced.   

The primary goals of the NIST RMF are to: 

  • Enhance information security 
  • Foster reciprocity among federal agencies 
  • Improve risk management processes 

To achieve these goals, the NIST RMF drives organizations to: 

  • Follow a risk management methodology that identifies vulnerabilities caused by non-compliant controls and prioritizes them based on risk factors (e.g., likelihood, threat, and impact). 
  • Implement a tiered approach to risk management that focuses on the business process level, enterprise level, information system level, and mission level. 
  • Incorporate cybersecurity early and robustly in the acquisition and system development lifecycle. 
  • Require continuous monitoring and timely correction of deficiencies, vulnerabilities, and incidents related to information security. 
  • Support authorization reciprocity to allow organizations to accept approvals by other organizations for interconnection or reuse of IT systems without retesting. 

Steps in the risk management framework

The seven steps in the NIST RMF are: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor Security Controls. 

1. Prepare 

The organization gets ready to manage its security and privacy risks by: 

  • Assessing organization-wide risk. 
  • Defining key risk management roles.   
  • Determining risk tolerance.  
  • Developing and implementing an organization-wide strategy for continuous monitoring.  
  • Establishing a formal risk management strategy
  • Identifying common controls. 

2. Categorize   

The risks to systems and information processed, stored, and transmitted are categorized based on an impact analysis of loss of confidentiality, integrity, and availability (CIA). This categorization includes impact levels low, moderate, or high. During the NIST RMF Categorize step: 

  • System characteristics are documented. 
  • Security categorization of the system and information is completed. 
  • Categorization decisions are reviewed and approved by the authorizing official. 

3. Select   

The required security controls are identified. The NIST RMF Select step includes: 

  • Allocating controls to specific system components. 
  • Designating controls as system-specific, hybrid, or common. 
  • Developing a system-level continuous monitoring strategy.  
  • Ensuring that security and privacy plans reflect the control selection, designation, and allocation.  
  • Selecting and tailoring control baselines. 

4. Implement    

The controls in the security and privacy plans for the system and organization are implemented. During the NIST RMF Implement step:  

  • The controls are implemented.   
  • All the processes and procedures for how the controls are deployed are documented. 
  • Security and privacy plans are updated to reflect how the controls are implemented. 

5. Assess   

An assessment is conducted to determine if the controls are implemented correctly and address the security and privacy requirements. The Assess step of the NIST RMF includes:  

  • Assigning an assessor and assessment team.   
  • Developing plans for the security and privacy assessment.    
  • Reviewing and approving assessment plans.   
  • Conducting the control assessments in accordance with assessment plans. 
  • Producing security and privacy assessment reports.   
  • Implementing remediation actions to address any deficiencies in controls.   
  • Updating security and privacy plans with control implementation changes based on assessments and remediation actions. 
  • Establishing a plan of action and milestones.  

6. Authorize 

Once everything is working as intended, executive approval of the risk mitigation mechanisms is provided. During the Authorize step of the NIST RMF: 

  • Authorization packages, including an executive summary, system security and privacy plan, assessment report(s), plan of action, and milestones, are produced. 
  • The risk determination is provided. 
  • Risk responses are provided. 
  • The authorization of the system and controls is approved or denied.   

7. Monitor security controls 

A continuous monitoring strategy is required to ensure that the security controls are working. Included in the NIST RMF Monitor step is: 

  • Continuous monitoring of the system and environment. 
  • Ongoing assessments of control effectiveness. 
  • Analysis and response to the output of continuous monitoring activities.  
  • Reports about security and privacy posture for management. 
  • Ongoing authorizations.   

RMF roles and responsibilities

The NIST RMF provides a list of roles and responsibilities for key participants in a risk management program. These are recommendations; it is not required to have each position assigned to a person, only that the functions are performed. Care must be taken so that the individuals or groups assigned to a role or function do not have conflicting interests. The NIST RMF roles and responsibilities include the following. 

NIST RMF Role NIST RMF Responsibilities 
Chief Executive Officer Oversees the organization’s success 
Risk Executive Oversees the organization’s risk program 
Chief Information Officer Designates a senior information security officer Develops and maintains information security policies, procedures, and control techniques Manages personnel Assists leadership team with security responsibilities 
Senior Information Security Officer Executes the chief information officer’s security responsibilities Serves as the primary interface between senior managers and information system owners 
Information Owner Establishes policies and procedures governing the generation, collection, processing, dissemination, and disposal of information Holds statutory, management, or operational authority over information 
Authorizing Official (AO) or Designated Representative Accepts information systems into an operational environment at a known risk level 
Common Control Provider Develops, implements, assesses, and monitors common security controls 
Information System Owner (ISO) Procures, develops, integrates, modifies, operates, and maintains an information system 
Information System Security Officer (ISSO) Ensures that the appropriate operational security posture is maintained for an information system 
Information Security Architect Ensures that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture 
Information System Security Manager (ISSM) Conducts information system security management activities as designated by the ISSO Develops and maintains the system-level cybersecurity program 
Security Control Assessor (SCA) Conducts an assessment of the management, operational, and technical security controls of an information system 

The NIST RMF roles listed by NIST and the Information Technology Laboratory (ITL)in their NIST RMF Quick Start Guide are: 

  • Authorizing official or authorizing official designated representative 
  • Chief acquisition officer 
  • Chief information officer 
  • Common control provider 
  • Control assessor 
  • Enterprise architect 
  • Head of agency 
  • Information owner or steward (or system owner) 
  • Mission or business owner 
  • Risk executive or senior official for risk management 
  • Security or privacy architect 
  • Senior agency information security officer 
  • Senior agency official for privacy 
  • System administrator 
  • System owner 
  • System security or privacy engineer 
  • System security or privacy officer 
  • User  

NIST Risk Management Framework resources

NIST Special Publication 800-37, Revision 2 (aka NIST RMF) 
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy 
NIST SP 800-37, the NIST RMF, instructs on the monitoring of security controls across the system development lifecycle  
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf 

NIST Special Publication 800-53, Revision 5 
Security and Privacy Controls for Information Systems and Organizations 
NIST SP 800-53 guides teams in selecting and implementing security controls to mitigate risk). 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 

NIST RMF Framework FAQ 
General and NIST Special Publication (SP) 800-53 
https://csrc.nist.gov/Projects/risk-management/faqs 

NIST RMF Quick Start Guide 
Roles and Responsibilities Crosswalk is based on key steps and responsibilities detailed in the NIST RMF. 
https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf 

NIST RMF Quick Start Guide on Prepare Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/01-Prepare%20Step/NIST%20RMF%20Prepare%20Step-FAQs.pdf 

NIST RMF Quick Start Guide on Categorize Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/02-Categorize%20Step/NIST%20RMF%20Categorize%20Step-FAQs.pdf 

NIST RMF Quick Start Guide on Select Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/03-Select%20Step/NIST%20RMF%20Select%20Step-FAQs.pdf 

NIST RMF Quick Start Guide on Implement Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/04-Implement%20Step/NIST%20RMF%20Implement%20Step-FAQs.pdf 

NIST RMF Quick Start Guide on Assess Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/05-Assess%20Step/NIST%20RMF%20Assess%20Step-FAQs.pdf 

NIST RMF Quick Start Guide on Authorize Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/06-Authorize%20Step/NIST%20RMF%20Authorize%20Step-FAQs.pdf 

NIST RMF Quick Start Guide on Monitor Step 
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/07-Monitor%20Step/NIST%20RMF%20Monitor%20Step-FAQs.pdf 

NIST RMF for the private sector 

Although the NIST RMF was created for use by federal agencies, it can also be used by organizations operating in the private sector. The NIST RMF helps organizations of all types and sizes reduce cybersecurity risk and better protect their IT resources. 

Smart, scalable, seamless identity security

Trusted by 48% of the Fortune 500

Request a live demo