NIST Risk Management Framework (RMF): The Ultimate Guide

Organizational security related to cyber activity, supply chain management, and risk management is crucial in the business world. Following the NIST risk management framework is a great way to apply proven concepts to strengthen security standards and mitigate risks.

This in-depth guide explains everything you need to know about the NIST risk management framework, including how it works, examples, and how to get started.

What is the NIST Risk Management Framework (RMF) Anyway?

The Risk Management Framework (RMF) is a comprehensive, flexible, and risk-based approach developed by the National Institute of Standards and Technology.

The framework integrates cyber security, privacy, and supply chain risk management into the development lifecycle. It describes the process for identifying, assessing, managing, and implementing cybersecurity controls, information systems, and platform information technology.

The NIST RMF was originally developed for federal agencies. But today, the framework is widely adopted by state agencies, local agencies, and private sector organizations.

All of the standards and guidelines within the risk management framework meet the Federal Information Security Modernization Act (FISMA) requirements. This includes implementation, assessments, and continuous monitoring.

There are seven steps in the NIST RMF:

Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor

By following a risk-based approach, the framework helps manage organizational risk for any type of organization seeking ways to improve information security for new IT systems, control systems, legacy systems, IoT, and more.

Things like regulations, industry standards, policies, executive orders, new laws, and directives are all taken into consideration for the framework—using a risk-based approach.

How the NIST Risk Management Framework (RFM) Works

The National Institute of Standards and Technology is a non-regulatory US government agency within the Department of Commerce. The organization promotes innovation and industrial competitiveness through standards, technology, and advancing measurement science.

The risk management framework is just one of the many frameworks and standards developed by the NIST.

The RMF is most closely associated with NIST SP 800-37, which provides the guidelines to apply the framework to information systems and organizations.

This is a structured, disciplined, and flexible process to manage security and privacy through assessments, implementation, control authorizations, and continuous monitoring. It includes all activities required to use the framework at various risk management levels.

The risk management framework was originally used for federal agency compliance with FISMA—the Federal Information Security Modernization Act.

In simple terms, FISMA compliance details the requirements for federal agencies to develop, document, and implement information security and protection programs.

While the NIST risk management framework was initially intended for this use case, it can still be applied to a wide range of other organizational purposes today, even in private sectors.

The NIST continues to release official publications that are directly related to the RMF. Examples of related publications include:

SP 800-53A Rev. 5 — Assessing Security and Privacy Controls in Information Systems and Organizations
SP 800-47 Rev. 1 — Managing the Security of Information Exchanges
NISTIR 8212 — ISCMA: An Information Security Continuous Monitoring Program Assessment
SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
SP 800 53-B — Control Baselines for Information Systems and Organizations
SP 800-137A — Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment
NISTIR 8011 Vol. 4 — Automation Support for Security Control Assessments: Software Vulnerability Management
SP 800-128 — Guide for Security-Focused Configuration Management of Information Systems
SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST 8011 Vol. 3 — Automation Support for Security Control Assessments: Software Asset Management
SP 800-160 Vol. 1 — Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
SP 800-12 Rev. 1 — An Introduction to Information Security
NISTIR 8011 Vol. 1 — Automation Support for Security Control Assessments: Volume 1: Overview
NIST 8011 Vol. 2 — Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management

These are just the documents that have been released within the past five years. In total, there are more than 25 NIST-authorized publications that are directly related to the risk management framework. You can view all of the related publications here.

In accordance with FISMA, RMF compliance is mandatory for federal agencies. It’s also required in many instances for intelligence and contractors for the Department of Defense (DoD).

But beyond compliance, let’s look at some examples that showcase the benefits of applying a risk management framework to a business.

Example 1: Asset Protection

Risk management frameworks help prioritize the risks an organization might face on a daily basis. Leaders are forced to identify assets and take steps to protect all assets that pose a higher risk.

When applying the RMF, you’re also protecting data and sensitive assets.

Example 2: Reputation Management

A potential cyber attack or data breach could be detrimental to an organization’s reputation.

The general public is constantly aware of these situations, as they commonly make big news headlines. Any breach that results in non-compliance with strict privacy laws can damage a reputation even further.

But effective risk management frameworks enable organizations to identify gaps in controls and create a blueprint to avoid or eliminate the chances of risks that could damage the company’s reputation.

Example 3: IP Protection

Many organizations have valuable intellectual property that needs to be safeguarded. The NIST RMF applies to intellectual property as well, in addition to your assets and other sensitive data.

If a business sells, distributes, or provides products or services that use intellectual property for a competitive advantage, any exposed IP could be detrimental to the business. The organization could lose out on sales, lose a competitive advantage, and prevent new business opportunities from coming to fruition. There are even some legal risks associated with lost or stolen intellectual property.

How to Get Started With NIST Risk Management Framework (RMF)

As defined by the National Institute of Standards and Technology, there are seven steps in the risk management framework. We’ll take a closer look at each step below, explaining what it means, how it works, and how you can get started applying it with the framework.

Step 1: Prepare

The preparation step was not part of the original risk management framework. It was added during the second revision, but it’s crucial for getting organized—as it supports the remaining steps in the framework.

The purpose of this step is to carry out all essential activities to prepare an organization on all levels for managing privacy risks and security using the risk management framework.

During this step, the organization should:

Identify all key risk management roles
Establish an organizational risk management strategy
Determine the risk tolerance that’s acceptable
Go through a complete organization-wide risk assessment
Develop a strategy for continuous monitoring
Identify common controls

Some organizations may already have a head start on this step as part of other initiatives related to risk management or IT security.

You can refer to the NIST RMF Quick Start Guide Prepare Step FAQ for a more detailed explanation of the objectives and tasks during this step.

Step 2: Categorize

The purpose of the categorized step is to determine the adverse impact of certain events.

You need to look at various processes and tasks and think about how they relate to the loss of confidentiality, integrity, and availability of the systems. The step also refers to how information gets processed, how information is stored, and how information is transmitted by those systems.

Desired outcomes for the Categorize step include:

Document all system characteristics
Complete a full security categorization of information and systems
An authorizing official should categorize, review, and approve decisions

This step is highly administrative. It mainly involves a deeper understanding of the organization that goes beyond the initial preparation step.

Before categorizing systems, a system boundary must be defined. Based on those boundaries, similar types of information can be identified and grouped within that category, including roles, responsibilities, operating environments, and intended uses.

Refer to the NIST RMF Quick Start Guide Categorize Step FAQ for more information.

Step 3: Select

The select step uses the NIST SP 800-53 set of controls to protect systems based on risk assessments. The purpose here is to select, customize, and document all controls required to protect systems based on the appropriate risk.

These are essentially the operational and technical safeguards for information systems. They’re designed to protect the integrity, confidentiality, and availability of a system and all of the system’s information.

Desired outcomes during this step include:

Baseline controls are identified and customized
Controls are designed as hybrid, common, or system-specific
All controls are allocated to specific system components
A strategy is developed for continuous monitoring at the system level
Security plans and privacy plans related to controls, designation, and allocation must be reviewed and approved

Refer to the NIST RMF Quick Start Guide Select Step FAQ for more detailed instructions on implementing this step.

Step 4: Implement

By this stage, you should have already documented the controls and policies for your systems and information. Now it’s time to actually implement those controls, just as the step name implies.

The goal here is to execute the security plans and privacy plans for your systems organization-wide.

The desired outcomes for this step are fairly straightforward:

Specify the controls for security plans
Specify the controls for privacy plans
Implement the security and privacy plans
Update the security and privacy plans to reflect the new controls as they’re implemented

You’re basically describing how all of the controls are going to be used within an information system and its environment for operations. All policies should be customized for each device and align with the security documentation of the previous steps.

Use the NIST RMF Quick Start Guide Implement Step FAQ as an additional resource as you’re going through this part of the framework.

Step 5: Assess

The assessment phase is designed to determine whether the controls have been properly implemented. You also want to make sure that everything is operating as you intended and the desired results are being produced.

Here are the outcomes you should be trying to reach in this step:

An assessment team or single assessor has been identified
All security assessments and privacy assessment plans have been developed
The assessments are reviewed and approved
Control assessments are completed
Reports for security and privacy assessments have been generated
Remediation steps are identified for any areas of deficiency
Plans are updated to reflect changes and remediation steps
Milestones are developed in accordance with the new plan of action

In simple terms, you’re just going to review the work and see if the controls are working as they’re supposed to.

The NIST RMF Quick Start Guide Assess Step FAQ is a great resource for the assessment stage.

Step 6: Authorize

Now it’s time for a senior official or decision-maker to authorize the operation of a system based on the risk. They must analyze everything in place to see if the controls related to privacy and security are acceptable based on the risk tolerance.

Here’s what’s required:

A full authorization package that includes an executive summary, system security plan, privacy plan, assessment report, and plan of action milestones
Risk determinations
Risk responses
Approval or denial of the system or controls

Based on all of the reports given to the decision-maker, they must determine if the risk is appropriate or not.

Refer to the NIST RMF Quick Start Guide Authorize Step FAQ documentation for more information.

Step 7: Monitor

The NIST RMF is never actually complete. Even after you’ve gone through all the steps, the final step involves continuous monitoring.

Organizations must maintain ongoing awareness of different situations related to the security and privacy of systems and the company as a whole. This will allow the organization to make appropriate decisions for risk management.

Desired outcomes for monitoring include: