The Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been available for FISMA compliance since 2004.  It was updated in December 2018 to revision 2.

This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the U.S. government must now abide by and integrate into their processes. It was most recently integrated into DoD instructions, and many organizations are now creating new guidance for compliance to the RMF.

For all federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring).  Revision 2 of the RMF was the first NIST publication to address both privacy and security risk management in an integrated methodology.

Risk Management Framework Steps

The RMF is a now a seven-step process as illustrated below:

Step 1: Prepare

This step was an addition to the Risk Management Framework in Revision 2.  Tasks in the Prepare step are meant to support the rest of the steps of the framework.  The step is mainly comprised of guidance from other NIST publications, requirements as set by the Office of Management and Budget (OMB) policy, or a combination of the two.  In some cases Organizations may find they have implemented some of the tasks from the Prepare step as part of their risk management program.  The purpose of this step was to “reduce complexity as organizations implement the Risk Management Framework, promote IT modernization objectives, (Read more...)