NIST Risk Management Framework RMF

A Comprehensive, Flexible, Risk-Based Approach ; Categorize, Categorize the system and information processed, stored, and transmitted based on an impact analysis. Youareviewingthispageinanunauthorizedframewindow. Thisisapotentialsecurityissue,youarebeingredirectedtohttps://csrc.nist.gov. Officialwebsitesuse.gov A.govwebsitebelongstoanofficialgovernmentorganizationintheUnitedStates. Secure.govwebsitesuseHTTPS Alock()orhttps://meansyou'vesafelyconnectedtothe.govwebsite.Sharesensitiveinformationonlyonofficial,securewebsites. Search Search CSRCMENU Search Search Projects Publications ExpandorCollapse DraftsforPublicComment AllPublicDrafts FinalPubs FIPS SpecialPublications(SPs) NISTIRs ITLBulletins WhitePapers JournalArticles ConferencePapers Books Topics ExpandorCollapse Security&Privacy Applications Technologies Sectors Laws&Regulations Activities&Products News&Updates Events Glossary AboutCSRC ExpandorCollapse ComputerSecurityDivision CryptographicTechnology SecureSystemsandApplications SecurityComponentsandMechanisms SecurityEngineeringandRiskManagement SecurityTesting,Validation,andMeasurement AppliedCybersecurityDivision CybersecurityandPrivacyApplications NationalCybersecurityCenterofExcellence(NCCoE) NationalInitiativeforCybersecurityEducation(NICE) ContactUs InformationTechnologyLaboratory ComputerSecurityResourceCenter ComputerSecurityResourceCenter Projects NISTRiskManagementFramework NISTRiskManagementFrameworkRMF SharetoFacebook SharetoTwitter ProjectLinks Overview FAQs News&Updates Events Publications Presentations AbouttheRiskManagementFramework(RMF) AComprehensive,Flexible,Risk-BasedApproach TheRiskManagementFrameworkprovidesaprocessthatintegratessecurity,privacy,andcybersupplychain riskmanagementactivitiesintothesystemdevelopmentlifecycle.Therisk-basedapproachto controlselectionandspecificationconsiderseffectiveness,efficiency,andconstraintsduetoapplicablelaws,directives,ExecutiveOrders,policies,standards,orregulations.Managingorganizationalriskisparamounttoeffectiveinformationsecurityandprivacy programs;theRMFapproachcanbeappliedtonewandlegacysystems, anytypeofsystemortechnology(e.g.,IoT,controlsystems),andwithinanytypeoforganizationregardlessofsizeorsector.     FormoreinformationoneachRMFStep,includingResourcesforImplementersandSupportingNISTPublications, selecttheStepbelow. Prepare Essentialactivitiestopreparetheorganizationtomanagesecurityandprivacyrisks  Categorize Categorizethesystemandinformationprocessed,stored,andtransmittedbasedonanimpactanalysis Select SelectthesetofNISTSP800-53controlstoprotectthesystembasedonriskassessment(s) Implement Implementthecontrolsanddocumenthowcontrolsaredeployed Assess Assesstodetermineifthecontrolsareinplace,operatingasintended,andproducingthedesiredresults Authorize Seniorofficialmakesarisk-baseddecisiontoauthorizethesystem(tooperate) Monitor Continuouslymonitorcontrolimplementationandriskstothesystem   RMFPublicationDownload   RMFRolesandResponsibilitiesDownload  AdditionalResourceDownloads Theseresources maybeusedbygovernmentalandnongovernmentalorganizations,andisnotsubjecttocopyrightintheUnitedStates.Attributionwould,however,beappreciatedbyNIST.  Graphics  DownloadNISTRMFGraphic [.svg] [.png] DownloadNISTRMFGraphic:Prepare [.svg] [.png] DownloadNISTRMFGraphic:Categorize [.svg] [.png] DownloadNISTRMFGraphic:Select [.svg] [.png] DownloadNISTRMFGraphic:Implement [.svg] [.png] DownloadNISTRMFGraphic:Assess [.svg] [.png] DownloadNISTRMFGraphic:Authorize [.svg] [.png] Download NISTRMFGraphic:Monitor [.svg] [.png] QuickStartGuides(QSG)fortheRMFSteps DownloadRMFQSG: PrepareStep FAQ (.pdf)  DownloadRMFQSG: CategorizeStepFAQ (.pdf)  DownloadRMFQSG: SelectStepFAQ (.pdf)  DownloadRMFQSG: ImplementStepFAQ (.pdf)  DownloadRMFQSG: AssessStepFAQ (.pdf)  DownloadRMFQSG: AuthorizeStepFAQ (.pdf) DownloadRMFQSG: MonitorStepFAQ (.pdf)  DownloadRMFQSG: ALLFAQs (.zip) DownloadRMFQSG: RolesandResponsibilities (.pdf) BacktoRMFHomepage ProjectLinks Overview FAQs News&Updates Events Publications Presentations AdditionalPages FISMABackground AbouttheRMF PrepareStep CategorizeStep SelectStep ImplementStep AssessStep AuthorizeStep MonitorStep SP800-53Controls ReleaseSearch Downloads ControlCatalogPublicCommentsOverview MoreInformation UserGuide SP800-53CommentSiteFAQ PublicComments:SubmitandView ControlOverlayRepository OverlayOverview SCORSubmissionProcess SCORContact RMFIntroductoryCourse RMFEmailList MeettheRMFTeam RMFPresentationRequest Contacts [email protected] Group SecurityEngineeringandRiskManagement Topics SecurityandPrivacy: generalsecurity&privacy,privacy,riskmanagement,securitymeasurement,securityprograms&operations LawsandRegulations: E-GovernmentAct,FederalInformationSecurityModernizationAct RelatedProjects CybersecurityFramework CybersecuritySupplyChainRiskManagement FederalCybersecurity&PrivacyForum macOSSecurity OpenSecurityControlsAssessmentLanguage OperationalTechnologySecurity PrivacyEngineering ProtectingCUI SystemsSecurityEngineering(SSE)Project AdditionalPages FISMABackground AbouttheRMF PrepareStep CategorizeStep SelectStep ImplementStep AssessStep AuthorizeStep MonitorStep SP800-53Controls ReleaseSearch Downloads ControlCatalogPublicCommentsOverview MoreInformation UserGuide SP800-53CommentSiteFAQ PublicComments:SubmitandView ControlOverlayRepository OverlayOverview SCORSubmissionProcess SCORContact RMFIntroductoryCourse RMFEmailList MeettheRMFTeam RMFPresentationRequest Contacts [email protected] Group SecurityEngineeringandRiskManagement Topics SecurityandPrivacy: generalsecurity&privacy,privacy,riskmanagement,securitymeasurement,securityprograms&operations LawsandRegulations: E-GovernmentAct,FederalInformationSecurityModernizationAct RelatedProjects CybersecurityFramework CybersecuritySupplyChainRiskManagement FederalCybersecurity&PrivacyForum macOSSecurity OpenSecurityControlsAssessmentLanguage OperationalTechnologySecurity PrivacyEngineering ProtectingCUI SystemsSecurityEngineering(SSE)Project CreatedNovember30,2016,UpdatedMarch16,2022