Risk management framework

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
The Risk Management Framework (NIST Special Publication 800-37).

The Risk Management Framework is a United States federal government policy and standards to help secure information systems (computers and networks) developed by National Institute of Standards and Technology.

The two main publications that cover the details of RMF are NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", and NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations".

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).

The Risk Management Framework (RMF), illustrated at right, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.[1]

The RMF steps include:

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. Vested party is identified.
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. If any overlays apply to the system it will be added in this step
  • Implement the security controls identified in step 2.
  • Assess: a third party assesses the controls and verifies that the controls are properly applied to the system.
  • Authorize: the information system is granted or denied an Authorization to Operate (ATO), in some cases it may be postponed while certain items are fixed. The ATO is based on the report from the Assessment phase.
  • Monitor: the security controls in the information system are monitored in a pre-planned fashion documented earlier in the process. ATO is good for 3 years, every 3 years the process needs to be repeated.


During its lifecycle, an information system will encounter many types of risk that affect the overall security posture of the system and the security controls that must be implemented. The RMF process supports early detection and resolution of risks. Risk can be categorized at high level as infrastructure risks, project risks, application risks, information asset risks, business continuity risks, outsourcing risks, external risks and strategic risks. Infrastructure risks focus on the reliability of computers and networking equipment. Project risks focus on budget, timeline and system quality. Application risks focus on performance and overall system capacity. Information asset risks focus on the damage, loss or disclosure to an unauthorized part of information assets. Business continuity risks focus on maintaining a reliable system with maximum up-time. Outsourcing risks focus on the impact of 3rd party supplier meeting their requirements. [2] External risks are items outside the information system control that impact the security of the system. Strategic risks focuses on the need of information system functions to align with the business strategy that the system supports. [3]

See also[edit]


  1. ^ Guide for Applying the Risk Management Framework to Federal Information Systems
  2. ^ IT Risk Management Framework for Business Continuity by Change Analysis of Information System
  3. ^ An Empirical Study on the Risk Framework Based on the Enterprise Information System

External links[edit]