NIST logo

Publication Citation: Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach

NIST Authors in Bold

Author(s): Ronald S. Ross;
Title: Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach
Published: June 10, 2014
Abstract: This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle. Applying the RMF within enterprises links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function) and establishes lines of responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).
Citation: NIST SP - 800-37rev 1
Keywords: Risk management; risk assessment; security authorization; security control; system development life cycle; Risk Management Framework; security control assessment; continuous monitoring; ongoing authorization; security categorization; security control selection; security plan; security assessment report; plan of action and milestones; security authorization package; authorization to operate; common control; information system owner/steward; senior information security officer; common control provider; authorizing official
Research Areas: Information Technology, Computer Security, Cybersecurity
DOI: http://dx.doi.org/10.6028/NIST.SP.800-37r1