Mandatory (federal)
NIST Risk Management Framework
Mandatory (federal)

NIST Risk Management Framework

All frameworks

What it is

A seven-step lifecycle (SP 800-37 Rev. 2) for managing security and privacy risk for federal information systems. Required for federal agencies and most federal contractors operating federal systems.

Who uses it

U.S. federal agencies, FedRAMP cloud providers, defense contractors, and any organization operating a system that must obtain an Authority to Operate (ATO).

Why it matters

RMF is the spine of federal compliance — FedRAMP, DoD RMF, FISMA all run on it. Knowing the seven steps and the artifacts each produces is table-stakes for federal GRC work.

Structure

1. Prepare

Set context: identify stakeholders, common controls, risk tolerance, and prioritize systems.

2. Categorize

Use FIPS 199 to categorize the system as Low / Moderate / High impact for Confidentiality, Integrity, Availability.

3. Select

Pick the baseline of controls from NIST SP 800-53 that matches the impact level, then tailor.

4. Implement

Stand up the controls and document how each one is implemented in the System Security Plan (SSP).

5. Assess

An independent assessor tests the controls and writes a Security Assessment Report (SAR).

6. Authorize

The Authorizing Official reviews risk and issues an Authority to Operate (ATO) — or denies it.

7. Monitor

Continuous monitoring: ongoing assessment, configuration management, and POA&M tracking.

Terminology

ATO
Authority to Operate — formal management decision authorizing a system to run.
SSP
System Security Plan — the master document describing the system and how each control is implemented.
POA&M
Plan of Action and Milestones — the running list of open weaknesses and remediation dates.
SAR
Security Assessment Report — the assessor's findings about which controls passed or failed.
Boundary
The defined scope of components included in the authorization.

Beginner explanation

RMF is the recipe a federal system follows to legally turn on. Each step produces a document. The whole package proves that someone with authority looked at the risk and accepted it.

Practical examples

  • A FedRAMP Moderate SaaS goes through Categorize → Select (800-53 Moderate baseline) → Implement → Assess (by a 3PAO) → Authorize → ConMon.
  • A new module added to an authorized system triggers a re-assessment of affected controls only, not the entire system.

Advanced notes

RMF feeds OSCAL (Open Security Controls Assessment Language) for machine-readable SSPs and SARs, increasingly used in FedRAMP automation.