U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Projects NIST Risk Management Framework About the RMF

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Select Step

At A Glance

RMF Select Step

 

Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk
 
Outcomes: 

  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

 

Resources for Implementers

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

  • Specifies minimum security requirements for information and systems supporting the executive agencies of the federal government and a risk-based process for selecting the controls necessary to satisfy the minimum security requirements. 

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations 

  • Catalog of security and privacy controls for all types of systems and organizations.
  • The controls are flexible and customizable to meet mission and business needs, and are implemented as part of an organization-wide process to manage risk.

NIST SP 800-53B, Control Baselines for Information Systems and Organizations 

  • Security and privacy control baselines for the Federal Government.
    • Three security control baselines (one for each impact level - low-impact, moderate-impact, and high-impact).
    • Privacy control baselines applied to systems irrespective of impact level
  • Provides guidance on tailoring and development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.

 

Back to About the RMF

Contacts

NIST Risk Management Framework Team
sec-cert@nist.gov

Created November 30, 2016, Updated November 01, 2021