Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Risk Management Framework

The Cybersecurity Framework can help federal agencies to integrate existing risk management and compliance efforts and structure consistent communication, both across teams and with leadership. That is why on May 11, 2017, the President issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure requiring federal agencies to use the Framework.

NIST has been updating its suite of cybersecurity and privacy risk management publications to provide additional guidance on how to integrate the implementation of the Cybersecurity Framework.  NIST Interagency Report (IR) 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework summarized eight approaches that may be useful for federal agencies and others.  The NISTIR 8170 discusses how the CSF can be valuable in managing federal information and information systems according to:

Conversely, the RMF incorporates key Cybersecurity Framework, privacy risk management, and systems security engineering concepts. Among other things, the CSF Core can help agencies to:

  • better-organize the risks they have accepted and the risk they are working to remediate across all systems,
  • use the reporting structure that aligns to Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53 Rev. 4), and
  • enable agencies to reconcile mission objectives with the structure of the Core.

Consistent with OMB Memorandum M-17-25, federal implementation of the Cybersecurity Framework fully supports the use of and is consistent with the risk management processes and approaches defined in SP 800-39 and SP 800-37. This allows agencies to meet their concurrent obligations to comply with the requirements of FISMA and E.O. 13800.

Each task in the RMF includes references to specific sections in the Cybersecurity Framework. For example:

  • Task P-2, Risk Management Strategy, aligns with the Cybersecurity Framework Core [Identify Function];
  • Task P-4, Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles, aligns with the Cybersecurity Framework Profile construct; and
  • Task R-5, Authorization Reporting, and Task M-5, Security and Privacy Reporting, support OMB reporting and risk management requirements organization-wide by using the Cybersecurity Framework constructs of Functions, Categories, and Subcategories. The Subcategory mappings to the [SP 800-53] controls are available at: https://www.nist.gov/cyberframework/federal-resources.

For more information on the NIST Risk Management Framework, see: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(rmf)-overview

Created February 27, 2020, Updated March 20, 2020