NIST Risk Management Framework RMF
Overview
Recent Updates:
- July 13, 2022: First online comment period using the SP 800-53 Public Comment Site open through August 12, 2022. View and comment on proposed changes (“candidates”) to SP 800-53 Rev. 5 controls.
- June 3, 2022: NIST Cybersecurity Framework and Supply Chain Risk Management Request for Information | Initial Summary Analysis of Responses
- February 2, 2022: Request for Information | Evaluating and Improving NIST Cybersecurity Resources: The NIST Cybersecurity Framework and Cybersecurity Supply Chain Risk Management
- January 25, 2022: NIST Special Publication (SP) 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations (final), has been released in portable document format (PDF), as comma-separated value (CSV), plain text, and Open Security Controls Assessment Language (OSCAL) formats.
The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
This site provides an overview, explains each RMF step, and offers resources to support implementation, such as updated Quick Start Guides, and the RMF Publication.
| Prepare |
Essential activities to prepare the organization to manage security and privacy risks |
| Categorize |
Categorize the system and information processed, stored, and transmitted based on an impact analysis |
| Select |
Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s) |
| Implement |
Implement the controls and document how controls are deployed |
| Assess |
Assess to determine if the controls are in place, operating as intended, and producing the desired results |
| Authorize |
Senior official makes a risk-based decision to authorize the system (to operate) |
| Monitor |
Continuously monitor control implementation and risks to the system |
Learn More
Controls & Control Baselines
Stay Informed & Contact Us
Project Links
Additional Pages
Created November 30, 2016, Updated July 14, 2022
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
