What is a Risk Management Framework?

Risk Management Framework (RMF) is the U.S. government’s security protocol guidelines for federal employees and IT systems. It was created by the National Institute of Standards and Technology (NIST) in 2010 and was later adopted by the Department of Defense (DOD).

All federal agencies are required to abide by RMF policies and procedures. However, other organizations in industries outside of government have also used the framework as part of their overall security plan.

An overview of the NIST Risk Management Framework (RMF)

There are seven specific steps involved in RMF as outlined by NIST:

1. Prepare - Essential activities to prepare the organization to manage security and privacy risks 
2. Categorize - Categorize the system and information processed, stored, and transmitted based on an impact analysis
3. Select - Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
4. Implement - Implement the controls and document how controls are deployed
5. Assess - Assess to determine if the controls are in place, operating as intended, and producing the desired results
6. Authorize - A senior official makes a risk-based decision to authorize the system (to operate)
7. Monitor - Continuously monitor control implementation and risks to the system

See Also: 

1. What is a Cyber Security Risk Assessment Report?
2. What is a Risk Assessment Template?
3. What is Risk Quantification?
4. What is Cyber Risk Management?