U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Prepare Step

At A Glance

RMF Prepare Step


Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

  • key risk management roles identified
  • organizational risk management strategy established, risk tolerance determined
  • organization-wide risk assessment
  • organization-wide strategy for continuous monitoring developed and implemented
  • common controls identified


Resources for Implementers

​​​​NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View

  • Guidance for organization-wide information security risk management as a complement to Enterprise Risk Management (ERM) programs
  •  Identifies components of and process for risk management (Frame Risk, Assess Risk, Respond to Risk, and Monitor Risk) and the levels of organizational risk management (Organization, Mission/Business Process, and Systems) 

NIST SP 800-30, Guide for Conducting Risk Assessments 

  • Guidance and a repeatable, flexible methodology for conducting risk assessments at all levels of the organization (Organization, Mission/Business Process, and System)
  • Includes multiple appendices for implementer to use for: threat source identification, examples of threat events, determine adverse impact, determine level of risk, templates for determining non-adversarial and adversarial risk and developing risk assessment reports

NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems 

  • Guidance on developing system security plans; includes a system security plan template

NIST SP 800-160, Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems 

  • Guidance on including security into systems engineering processes; builds on systems engineering standard, ISO/IEC/IEEE 15288.

NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  • An introduction to the concepts of privacy engineering and risk management, the basis for a common vocabulary for privacy risk, and definition of privacy engineering objectives and a privacy risk model 


Back to About the RMF

Created November 30, 2016, Updated November 01, 2021