NIST Risk Management Framework
What it is
A seven-step lifecycle (SP 800-37 Rev. 2) for managing security and privacy risk for federal information systems. Required for federal agencies and most federal contractors operating federal systems.
Who uses it
U.S. federal agencies, FedRAMP cloud providers, defense contractors, and any organization operating a system that must obtain an Authority to Operate (ATO).
Why it matters
RMF is the spine of federal compliance — FedRAMP, DoD RMF, FISMA all run on it. Knowing the seven steps and the artifacts each produces is table-stakes for federal GRC work.
Structure
Set context: identify stakeholders, common controls, risk tolerance, and prioritize systems.
Use FIPS 199 to categorize the system as Low / Moderate / High impact for Confidentiality, Integrity, Availability.
Pick the baseline of controls from NIST SP 800-53 that matches the impact level, then tailor.
Stand up the controls and document how each one is implemented in the System Security Plan (SSP).
An independent assessor tests the controls and writes a Security Assessment Report (SAR).
The Authorizing Official reviews risk and issues an Authority to Operate (ATO) — or denies it.
Continuous monitoring: ongoing assessment, configuration management, and POA&M tracking.
Terminology
Beginner explanation
RMF is the recipe a federal system follows to legally turn on. Each step produces a document. The whole package proves that someone with authority looked at the risk and accepted it.
Practical examples
- A FedRAMP Moderate SaaS goes through Categorize → Select (800-53 Moderate baseline) → Implement → Assess (by a 3PAO) → Authorize → ConMon.
- A new module added to an authorized system triggers a re-assessment of affected controls only, not the entire system.
Advanced notes
RMF feeds OSCAL (Open Security Controls Assessment Language) for machine-readable SSPs and SARs, increasingly used in FedRAMP automation.
Practice this in a lab
Map your organization's MFA control to NIST CSF 2.0, ISO 27001 Annex A, SOC 2 TSC, and NIST SP 800-53.
Test 'Quarterly user access review' for the Q3 period.
An audit produced 10 findings of varying severity. Build a remediation plan with owners and dates.