U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Select Step

At A Glance

RMF Select Step


Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk

  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved


Resources for Implementers

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

  • Specifies minimum security requirements for information and systems supporting the executive agencies of the federal government and a risk-based process for selecting the controls necessary to satisfy the minimum security requirements. 

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations 

  • Catalog of security and privacy controls for all types of systems and organizations.
  • The controls are flexible and customizable to meet mission and business needs, and are implemented as part of an organization-wide process to manage risk.

NIST SP 800-53B, Control Baselines for Information Systems and Organizations 

  • Security and privacy control baselines for the Federal Government.
    • Three security control baselines (one for each impact level - low-impact, moderate-impact, and high-impact).
    • Privacy control baselines applied to systems irrespective of impact level
  • Provides guidance on tailoring and development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.


Back to About the RMF

Created November 30, 2016, Updated November 01, 2021