Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

Published

Author(s)

Ronald S. Ross

Abstract

This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle. Applying the RMF within enterprises links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function) and establishes lines of responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls). [Supersedes SP 800-37 Rev. 1 (February 2010): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=904985]
Citation
Special Publication (NIST SP) - 800-37 Rev 1
Report Number
800-37 Rev 1

Keywords

categorize, information systems, common controls, continuous monitoring, FISMA, risk management framework, roles and responsibilities, security authorization, security controls

Citation

Ross, R. (2014), Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-37r1 (Accessed November 20, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created June 10, 2014, Updated January 27, 2020