What Is NIST Risk Management Framework?
The National Institute of Standards and Technology (NIST) and the United States Department of Defense (DoD) worked together to establish a unified cybersecurity framework for the Federal Government. This is called the Risk Management Framework (RMF). The RMF was designed to help federal agencies meet the strict demands of policies like The Privacy Act of 1974 and the Federal Information Security Modernization Act of 2014 (FISMA), although its broad application and comprehensive security foundation have since made it popular among private enterprises as well.
The RMF is not a product but rather a six-step process created to “improve information security, strengthen risk management processes, and encourage reciprocity among federal agencies, as stated by NIST. Notably, it mixes risk management and IT security into the systems development lifecycle, requiring firms to implement data governance systems and threat modeling to reduce risk.
NIST RMF Compliance: Who Needs to Comply?
Every federal agency is required to comply with the NIST Risk Management Framework. Originally developed in partnership with the Department of Defense, it was adopted by all federal information systems of the U.S. government in 2010 and remains in use today.
While not a requirement beyond federal agencies, it should be noted that private sector and non-profit organizations have found NIST RMF to be useful in improving their security posture and achieving compliance. Using RMF bolsters compliance with standards like GDPR and the NIST Cybersecurity Framework (CSF) and helps companies more quickly identify and respond to new threats and vulnerabilities.
NIST RMF Compliance Checklist
The National Institute of Standards and Technology notes seven major components to the RMF. These steps are sequential and designed to be flexible, repeatable, comprehensive, and measurable so agencies of all types can smoothly integrate them into their processes.
Step 1: Prepare
New step added in Revision 2 of the RMF to reduce complexity and support the other steps.
See the RMF Quick Start guide on Prepare for more details.
References: NIST Special Publications 800-30, 800-39, 800-18, 800-160 Volume 1, NISTIR 8062
New step added in Revision 2 of the RMF to reduce complexity and support the other steps.
See the RMF Quick Start guide on Prepare for more details.
References: NIST Special Publications 800-30, 800-39, 800-18, 800-160 Volume 1, NISTIR 8062
Step 2: Categorize Information System
Classify and label data and systems to get an accurate risk assessment.
This will inform the level of controls which should be applied.
Categorize Step Quick Start Guide
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60 Volume 1 and Volume 2; CNSS Instruction 1253.
Classify and label data and systems to get an accurate risk assessment.
This will inform the level of controls which should be applied.
Categorize Step Quick Start Guide
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60 Volume 1 and Volume 2; CNSS Instruction 1253.
Step 3: Select Security Controls
Review the categorization to select the right security controls.
Revise and adjust controls based on changing risk profile.
References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53B; CNSS Instruction 1253.
Review the categorization to select the right security controls.
Revise and adjust controls based on changing risk profile.
References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53B; CNSS Instruction 1253.
Step 4: Implement Security Controls
Ensure security controls have properly deployed with proper policies and management from qualified personnel.
Implement Step Quick Start Guide
References: FIPS Publication 200; NIST Special Publications 800-34, 800-61, 800-128; CNSS Instruction 1253; Web: SCAP.NIST.GOV.
Ensure security controls have properly deployed with proper policies and management from qualified personnel.
Implement Step Quick Start Guide
References: FIPS Publication 200; NIST Special Publications 800-34, 800-61, 800-128; CNSS Instruction 1253; Web: SCAP.NIST.GOV.
Step 5: Assess Security Controls
Validate controls have been successfully implemented and producing desired outcomes.
References: NIST Special Publication 800-53A, NISTIR 8011.
Validate controls have been successfully implemented and producing desired outcomes.
References: NIST Special Publication 800-53A, NISTIR 8011.
Step 6: Authorize Information System
Create a formal approval process with designated authorization officials.
This provides tracking and status for all controls.
Authorize Step Quick Start Guide
References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A
Create a formal approval process with designated authorization officials.
This provides tracking and status for all controls.
Authorize Step Quick Start Guide
References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A
Step 7: Monitor Security Controls
Continuously monitor the effectiveness of security controls and make changes as necessary to ensure efficacy.
Monitor Step Quick Start Guide
References: NIST Special Publications 800-53A, 800-53, 800-137; NISTIR 8011, NISTIR 8212.
Continuously monitor the effectiveness of security controls and make changes as necessary to ensure efficacy.
Monitor Step Quick Start Guide
References: NIST Special Publications 800-53A, 800-53, 800-137; NISTIR 8011, NISTIR 8212.
Fortra and the NIST RMF Framework
Learn More About Fortra for Government
Trust experience when it comes to securing your government agency. Discover the many ways Fortra’s portfolio of solutions protects the public sector.