U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Risk Management Framework RMF

About the Risk Management Framework (RMF)

A Comprehensive, Flexible, Risk-Based Approach

The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.


NIST SP 800-37 The Risk Management Framework Steps


For more information on each RMF Step, including Resources for Implementers and Supporting NIST Publications, select the Step below.

Prepare Essential activities to prepare the organization to manage security and privacy risks 
Categorize Categorize the system and information processed, stored, and transmitted based on an impact analysis
Select Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
Implement Implement the controls and document how controls are deployed
Assess Assess to determine if the controls are in place, operating as intended, and producing the desired results
Authorize Senior official makes a risk-based decision to authorize the system (to operate)
Monitor Continuously monitor control implementation and risks to the system


RMF Roles and Responsibilities Download  

These resources may be used by governmental and nongovernmental organizations, and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. 


Quick Start Guides (QSG) for the RMF Steps

  • Download RMF QSG: Prepare Step FAQ (.pdf) 
  • Download RMF QSG: Categorize Step FAQ (.pdf) 
  • Download RMF QSG: Select Step FAQ (.pdf) 
  • Download RMF QSG: Implement Step FAQ (.pdf) 
  • Download RMF QSG: Assess Step FAQ (.pdf) 
  • Download RMF QSG: Authorize Step FAQ (.pdf)
  • Download RMF QSG: Monitor Step FAQ (.pdf) 
  • Download RMF QSG: ALL FAQs (.zip)
  • Download RMF QSG: Roles and Responsibilities (.pdf)

Back to RMF Homepage

Created November 30, 2016, Updated November 01, 2021