Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Overview

January 31, 2024: NIST seeks to update and improve the guidance in SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on its current use, proposed updates in the Revision 2 initial working draft and information types taxonomy, and opportunities for ongoing improvement to SP 800-60. The public is invited to provide input by March 18, 2024.

November 7, 2023:  NIST issues SP 800-53 Release 5.1.1 in the Cybersecurity and Privacy Reference Tool (CPRT).  The corresponding assessment procedures in SP 800-53A have also been updated , and the SP 800-53A assessment procedures and SP 800-53B control baselines are also now available in the CPRT.  For more information, see: CSRC News Article and the SP 800-53 Release 5.1.1 FAQ (updated). A detailed listing of the changes is also available for SP 800-53 and SP 800-53A.

Thank you to those who submitted comments using the NIST SP 800-53 Public Comment Website.  

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).  


This site provides an overview, explains each RMF step, and offers resources to support implementation, such as updated Quick Start Guides, and the RMF Publication.


RMF wheel

Prepare Essential activities to prepare the organization to manage security and privacy risks 
Categorize Categorize the system and information processed, stored, and transmitted based on an impact analysis
Select Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
Implement Implement the controls and document how controls are deployed
Assess Assess to determine if the controls are in place, operating as intended, and producing the desired results
Authorize Senior official makes a risk-based decision to authorize the system (to operate)
Monitor Continuously monitor control implementation and risks to the system

 

Created November 30, 2016, Updated March 11, 2024