The NIST Risk Management Framework (RMF) is a set of processes all federal agencies must use to identify, implement, assess, manage, and monitor cybersecurity capabilities and services to find, eliminate, and mitigate ongoing risks in new and legacy systems. Developed by a Joint Task Force (JTF) that included the National Institute for Standards and Technology (NIST), the United States Intelligence Community (IC), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), the NIST RMF replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP).
The NIST RMF brings a risk-based approach to cybersecurity implementations that begins early in system lifecycles by integrating security, privacy, and cyber supply chain risk management. The NIST RMF drives risk-based considerations into the control selection and specification and focuses on effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, and regulations.
Five components comprise the NIST RMF: Identification, Measurement and Assessment, Mitigation, Reporting and Monitoring, and Governance.
1. Identification
The NIST RMF begins with identifying the risks across an organization, such as legal, privacy, and strategic risks. This component of the NIST RMF needs to be conducted regularly as risk landscapes change.
2. Measurement and assessment
The measurement and assessment component guides the development of risk profiles for the risks that are identified.
3. Mitigation
With the NIST RMF, risk mitigation involves reviewing the risks that are identified to determine the severity. In some cases, risks are acceptable and do not require any action. Other risks should be mitigated, and still others may require elimination.
4. Reporting and monitoring
The NIST RMF includes processes for sharing information about risks and regular evaluations of risks to identify any changes that warrant additional action.
5. Governance
With its risk governance component, the NIST RMF ensures that risk management elements have been implemented and risk-related policies are enforced.
The primary goals of the NIST RMF are to:
- Enhance information security
- Foster reciprocity among federal agencies
- Improve risk management processes
To achieve these goals, the NIST RMF drives organizations to:
- Follow a risk management methodology that identifies vulnerabilities caused by non-compliant controls and prioritizes them based on risk factors (e.g., likelihood, threat, and impact).
- Implement a tiered approach to risk management that focuses on the business process level, enterprise level, information system level, and mission level.
- Incorporate cybersecurity early and robustly in the acquisition and system development lifecycle.
- Require continuous monitoring and timely correction of deficiencies, vulnerabilities, and incidents related to information security.
- Support authorization reciprocity to allow organizations to accept approvals by other organizations for interconnection or reuse of IT systems without retesting.
Steps in the risk management framework
The seven steps in the NIST RMF are: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor Security Controls.
1. Prepare
The organization gets ready to manage its security and privacy risks by:
- Assessing organization-wide risk.
- Defining key risk management roles.
- Determining risk tolerance.
- Developing and implementing an organization-wide strategy for continuous monitoring.
- Establishing a formal risk management strategy.
- Identifying common controls.
2. Categorize
The risks to systems and information processed, stored, and transmitted are categorized based on an impact analysis of loss of confidentiality, integrity, and availability (CIA). This categorization includes impact levels low, moderate, or high. During the NIST RMF Categorize step:
- System characteristics are documented.
- Security categorization of the system and information is completed.
- Categorization decisions are reviewed and approved by the authorizing official.
3. Select
The required security controls are identified. The NIST RMF Select step includes:
- Allocating controls to specific system components.
- Designating controls as system-specific, hybrid, or common.
- Developing a system-level continuous monitoring strategy.
- Ensuring that security and privacy plans reflect the control selection, designation, and allocation.
- Selecting and tailoring control baselines.
4. Implement
The controls in the security and privacy plans for the system and organization are implemented. During the NIST RMF Implement step:
- The controls are implemented.
- All the processes and procedures for how the controls are deployed are documented.
- Security and privacy plans are updated to reflect how the controls are implemented.
5. Assess
An assessment is conducted to determine if the controls are implemented correctly and address the security and privacy requirements. The Assess step of the NIST RMF includes:
- Assigning an assessor and assessment team.
- Developing plans for the security and privacy assessment.
- Reviewing and approving assessment plans.
- Conducting the control assessments in accordance with assessment plans.
- Producing security and privacy assessment reports.
- Implementing remediation actions to address any deficiencies in controls.
- Updating security and privacy plans with control implementation changes based on assessments and remediation actions.
- Establishing a plan of action and milestones.
6. Authorize
- Authorization packages, including an executive summary, system security and privacy plan, assessment report(s), plan of action, and milestones, are produced.
- The risk determination is provided.
- Risk responses are provided.
- The authorization of the system and controls is approved or denied.
7. Monitor security controls
- Continuous monitoring of the system and environment.
- Ongoing assessments of control effectiveness.
- Analysis and response to the output of continuous monitoring activities.
- Reports about security and privacy posture for management.
- Ongoing authorizations.
RMF roles and responsibilities
The NIST RMF provides a list of roles and responsibilities for key participants in a risk management program. These are recommendations; it is not required to have each position assigned to a person, only that the functions are performed. Care must be taken so that the individuals or groups assigned to a role or function do not have conflicting interests. The NIST RMF roles and responsibilities include the following.
| NIST RMF Role | NIST RMF Responsibilities |
| Chief Executive Officer | Oversees the organization’s success |
| Risk Executive | Oversees the organization’s risk program |
| Chief Information Officer | Designates a senior information security officer Develops and maintains information security policies, procedures, and control techniques Manages personnel Assists leadership team with security responsibilities |
| Senior Information Security Officer | Executes the chief information officer’s security responsibilities Serves as the primary interface between senior managers and information system owners |
| Information Owner | Establishes policies and procedures governing the generation, collection, processing, dissemination, and disposal of information Holds statutory, management, or operational authority over information |
| Authorizing Official (AO) or Designated Representative | Accepts information systems into an operational environment at a known risk level |
| Common Control Provider | Develops, implements, assesses, and monitors common security controls |
| Information System Owner (ISO) | Procures, develops, integrates, modifies, operates, and maintains an information system |
| Information System Security Officer (ISSO) | Ensures that the appropriate operational security posture is maintained for an information system |
| Information Security Architect | Ensures that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture |
| Information System Security Manager (ISSM) | Conducts information system security management activities as designated by the ISSO Develops and maintains the system-level cybersecurity program |
| Security Control Assessor (SCA) | Conducts an assessment of the management, operational, and technical security controls of an information system |
The NIST RMF roles listed by NIST and the Information Technology Laboratory (ITL)in their NIST RMF Quick Start Guide are:
- Authorizing official or authorizing official designated representative
- Chief acquisition officer
- Chief information officer
- Common control provider
- Control assessor
- Enterprise architect
- Head of agency
- Information owner or steward (or system owner)
- Mission or business owner
- Risk executive or senior official for risk management
- Security or privacy architect
- Senior agency information security officer
- Senior agency official for privacy
- System administrator
- System owner
- System security or privacy engineer
- System security or privacy officer
- User
NIST Risk Management Framework resources
NIST Special Publication 800-37, Revision 2 (aka NIST RMF)
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST SP 800-37, the NIST RMF, instructs on the monitoring of security controls across the system development lifecycle
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
NIST Special Publication 800-53, Revision 5
Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 guides teams in selecting and implementing security controls to mitigate risk).
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
NIST RMF Framework FAQ
General and NIST Special Publication (SP) 800-53
https://csrc.nist.gov/Projects/risk-management/faqs
NIST RMF Quick Start Guide
Roles and Responsibilities Crosswalk is based on key steps and responsibilities detailed in the NIST RMF.
https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf
NIST RMF Quick Start Guide on Prepare Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/01-Prepare%20Step/NIST%20RMF%20Prepare%20Step-FAQs.pdf
NIST RMF Quick Start Guide on Categorize Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/02-Categorize%20Step/NIST%20RMF%20Categorize%20Step-FAQs.pdf
NIST RMF Quick Start Guide on Select Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/03-Select%20Step/NIST%20RMF%20Select%20Step-FAQs.pdf
NIST RMF Quick Start Guide on Implement Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/04-Implement%20Step/NIST%20RMF%20Implement%20Step-FAQs.pdf
NIST RMF Quick Start Guide on Assess Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/05-Assess%20Step/NIST%20RMF%20Assess%20Step-FAQs.pdf
NIST RMF Quick Start Guide on Authorize Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/06-Authorize%20Step/NIST%20RMF%20Authorize%20Step-FAQs.pdf
NIST RMF Quick Start Guide on Monitor Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/07-Monitor%20Step/NIST%20RMF%20Monitor%20Step-FAQs.pdf
NIST RMF for the private sector
Although the NIST RMF was created for use by federal agencies, it can also be used by organizations operating in the private sector. The NIST RMF helps organizations of all types and sizes reduce cybersecurity risk and better protect their IT resources.
