NIST Risk Management Framework (RMF)

Find out how the NIST RMF, originally developed for government security, is being used to protect companies in the private sector.  

What Is NIST Risk Management Framework?


The National Institute of Standards and Technology (NIST) and the United States Department of Defense (DoD) worked together to establish a unified cybersecurity framework for the Federal Government. This is called the Risk Management Framework (RMF). The RMF was designed to help federal agencies meet the strict demands of policies like The Privacy Act of 1974 and the Federal Information Security Modernization Act of 2014 (FISMA), although its broad application and comprehensive security foundation have since made it popular among private enterprises as well.  

The RMF is not a product but rather a six-step process created to “improve information security, strengthen risk management processes, and encourage reciprocity among federal agencies, as stated by NIST. Notably, it mixes risk management and IT security into the systems development lifecycle, requiring firms to implement data governance systems and threat modeling to reduce risk.

NIST RMF Compliance: Who Needs to Comply?


Every federal agency is required to comply with the NIST Risk Management Framework. Originally developed in partnership with the Department of Defense, it was adopted by all federal information systems of the U.S. government in 2010 and remains in use today.

While not a requirement beyond federal agencies, it should be noted that private sector and non-profit organizations have found NIST RMF to be useful in improving their security posture and achieving compliance. Using RMF bolsters compliance with standards like GDPR and the NIST Cybersecurity Framework (CSF) and helps companies more quickly identify and respond to new threats and vulnerabilities.

NIST RMF Compliance Checklist


The National Institute of Standards and Technology notes seven major components to the RMF. These steps are sequential and designed to be flexible, repeatable, comprehensive, and measurable so agencies of all types can smoothly integrate them into their processes.  

Step 1: Prepare

New step added in Revision 2 of the RMF to reduce complexity and support the other steps. 

See the RMF Quick Start guide on Prepare for more details. 

References: NIST Special Publications 800-30, 800-39, 800-18, 800-160 Volume 1, NISTIR 8062

Step 2: Categorize Information System

Classify and label data and systems to get an accurate risk assessment.  

This will inform the level of controls which should be applied. 

Categorize Step Quick Start Guide 

References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60 Volume 1 and Volume 2; CNSS Instruction 1253. 

Step 3: Select Security Controls

Review the categorization to select the right security controls.  

Revise and adjust controls based on changing risk profile. 

Select Step Quick Start Guide 

References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53B; CNSS Instruction 1253. 

Step 4: Implement Security Controls

Ensure security controls have properly deployed with proper policies and management from qualified personnel.  

Implement Step Quick Start Guide 

References: FIPS Publication 200; NIST Special Publications 800-34, 800-61, 800-128; CNSS Instruction 1253; Web: SCAP.NIST.GOV. 

Step 5: Assess Security Controls

Validate controls have been successfully implemented and producing desired outcomes. 

Assess Step Quick Start Guide 

References: NIST Special Publication 800-53A, NISTIR 8011

Step 6: Authorize Information System

Create a formal approval process with designated authorization officials. 

This provides tracking and status for all controls. 

Authorize Step Quick Start Guide 

References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A 

Step 7: Monitor Security Controls

Continuously monitor the effectiveness of security controls and make changes as necessary to ensure efficacy. 

Monitor Step Quick Start Guide 

References: NIST Special Publications 800-53A, 800-53, 800-137; NISTIR 8011, NISTIR 8212

Fortra and the NIST RMF Framework

Offensive Security

Proactively test agency security measures and safely test incident preparedness with penetration testing, adversary simulation, and red teaming.

Vulnerability Management

Identify and prioritize vulnerabilities in government systems to mitigate risks. 

Email Security & Anti-Phishing

Protect agency email and keep data safe from phishing, insider threats, and accidental data loss.

Data Protection

Safeguard classified data everywhere it travels within and outside the agency.

Integrity Management

Achieve real-time change intelligence with integrity monitoring and security configuration management.

Security Awareness Training

Reduce risk of data breach by improving security culture.

Learn More About Fortra for Government

Trust experience when it comes to securing your government agency. Discover the many ways Fortra’s portfolio of solutions protects the public sector.

Contact Us