An introduction to the NIST Risk Management Framework

The Risk Management Framework (RMF) is a set of information security policies and standards the federal government developed by The National Institute of Standards and Technology (NIST). The RMF is explicitly covered in the following NIST publications

Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” describes the formal RMF certification and accreditation process.

Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” describes a structured process for integrating information security and risk management activities into system development from start to finish. An organization will select system security controls and apply them organization-wide via an information security program, where organizational risk management is considered.

What is organizational risk, and how can you take a risk-based approach to cybersecurity?

Organizational risk is a systematic, structured way of identifying, assessing, and rating the risks an organization faces, in this case within the context of systems operations. The NIST RMF provides an effective framework to facilitate decision-making to select appropriate security controls.

The RMF applies a risk-based approach that considers effectiveness, efficiency, and restrictions due to regulations, directives, executive orders, policies, and other rules. The RMF has identified the following activities, which can be applied to both new and legacy systems, that are implementable with an effective information security management system (ISMS).

The RMF approach in six steps

  1. Categorize – Classify and label the information processed, stored, and shared, and the systems that are used; this is done based on an impact analysis
  2. Select – Review the categorization and select baseline security controls; revise and add to the security control baseline as necessary, based on organization assessment of risk and local conditions
  3. Implement – Instill the security controls and integrate with legacy systems; document how the controls are arrayed within the system and their effects on the environment
  4. Assess – Evaluate the security controls to determine whether or not they are implemented correctly, and their quality and effectiveness
  5. Authorize – top management tests and approves the secured system based on the accepted risk appetite to operations and assets (how much risk the organization is willing to tolerate). Management also considers the system’s operational impact on individuals, other organizations, and the US. It will identify how much risk is still present, and either authorize it or decide on changes needed.
  6. Monitor – Set up an ongoing monitoring and assessment schedule for security controls to measure effectiveness. Document system or operation adjustments, and include impact analyses of changes made, Report findings to information security officials

As the RMF is meant to be a continual cycle, you can then start again from step one, all the way through to step six to account for changes in the environment or to the system itself.

Risk Management Framework steps


A systematic and measurable approach to cybersecurity is vital to protecting your organization

To ensure the safety of personal data and maintain a level of trust with customers, it is essential that you take adequate measures to protect your private data.

Compliance with the EU General Data Protection Regulation (GDPR) is now mandatory. The Regulation is a significant overhaul of EU data protection requirements, and seeks to safeguard EU residents’ personal data.

With the GDPR compliance deadline just two months away, you need to ensure your business is prepared. The NIST Cybersecurity Framework can effectively guide you through the integration of an adequate ISMS. It is a voluntary framework aimed at critical infrastructure organizations.

How IT Governance USA can help

Within the Framework, we recommend that organizations refer to ISO 27001, among other best practice standards and guidelines.

ISO 27001 is the international standard that helps organizations achieve ISMS best practice.

Achieving ISO 27001-accredited certification is a strong indication that your company is taking the right measures to protect consumer data and effectively manage data breach events.

ISO 27001-approved certification does not come easy – the process can be long and challenging, depending on your organization’s resources. To assist, IT Governance is offering a four-day training course combining its ISO27001 Foundation (CIS F) and Lead Implementer (CIS LI) courses. The program provides a complete introduction to ISO 27001 and its requirements, covering all the steps involved in planning, implementing, and maintaining an ISO 27001-compliant ISMS.

Book a place on our ISO27001 Foundation and Lead Implementer Combination Course for a 15% saving on the two separate courses.

ISO 27001 Foundation and Lead Implementer Combination Course

One Response

  1. John Glover March 20, 2018