What is the Risk Management Framework?

To sum up, the Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been available for FISMA compliance since 2004.

This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the US government must now abide by and integrate this process. It was most recently integrated into DoD instructions, and many organizations are now creating new guidance for compliance to the RMF.

For all Government, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initial security protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring).

The RMF is a six-step process as illustrated below:

Step 1. Categorize information systems

This step is all administrative and involves gaining an understanding of the organization. Prior to categorizing a system, the system boundary should be defined. Based on that system boundary, all information types associated with the system can and should be identified. Information about the organization and its mission, its roles and responsibilities, as well as the system’s operating environment, intended use and connections with other systems may affect the final security impact level determined for the information system.

References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60; CNSS Instruction 1253.

Step 2. Select Security Controls

Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity, and availability of the system and its information. Assurance is the grounds for confidence that the security controls implemented within an information system are effective in their application.

References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253.

Step 3. Implement Security Controls

Step 3 requires an organization to implement security controls and describe how the controls are employed within the information system and its environment of operation. Policies should be tailored to each device to align with the required security documentation.

References: FIPS Publication 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253; Web: SCAP.NIST.GOV.

Step 4. Assess Security Controls

To assess the security controls requires using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

References: NIST Special Publication 800-53A, 800-30, 800-70.

Step 5. Authorize Information System

The authorize information system operation is based on a determination of the risk to organizational operations and individuals, assets, other organizations, and the nation resulting from the operation of the information system and the decision that this risk is acceptable.

Use reporting is designed to work with POA&M (Plan of Action & Milestones). This provides the tracking and status for any failed controls.

References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A.

Step 6. Monitor Security Controls

Continuous monitoring programs allow an organization to maintain the security authorization of an information system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies, and mission/business processes. While the use of automated support tools is not required, risk management can become near real-time through the use of automated tools. This will help with configuration drift and other potential security incidents associated with unexpected change on different core components and their configurations, as well as providing ATO (Authorization to Operate) standard reporting.

References: NIST Special Publications 800-30, 800-39, 800-53A, 800-53, 800-137; CNSS Instruction 1253.


To sum things up, the Risk Management Framework will place standards across government by aligning controls, language, and improve reciprocity. It will allow a focus on risk to address the diversity of components, systems, and custom environments as opposed to using a one size fits all solution. It builds security into systems and will address security concerns faster.  An overall Federal enterprise security will be accomplished via continuous monitoring and better roll-up reporting.

To learn more about RMF and how to apply it in your programs, join Federal Security and Compliance Expert Sean Sherman and myself, Steven Tipton, in an upcoming webcast as we discuss:

  • The RMF process and requirements
  • Pragmatic advice on getting started with RMF
  • How Tripwire solutions fit into each step of the RMF process

Join our webcast on Thursday, March 2, 2017, as we look at risk assessment in a new way.

Sign up today to reserve your space!

Additional Resources:

NIST sp 800-37 Guide

White paper: Adjusting to the reality of the RMF

P.S – Special thanks go to Sean Sherman for the material he helped put together on the Risk Management Framework that went into this article.