by Sarah K. White

What is the Risk Management Framework (RMF)? A standardized security framework

Jul 09, 2020
IT Governance FrameworksRisk ManagementSecurity

Risk management and security are top concerns for most organizations, especially in government industries. The Risk Management Framework (RMF) integrates security into the early development stages to help speed up time to delivery while avoiding risk.

Cybersecurity lock with the abstract circuitry of a security fabric.
Credit: Phive2015 / Getty Images

The Risk Management Framework (RMF) was developed and published by the National Institute of Standards and Technology (NIST) in 2010 and later adopted by the Department of Defense (DoD) to act as criteria for strengthening and standardizing the risk management process of information security organizations. The framework can be used by nearly any company interested in bolstering cybersecurity and risk management.

Risk management is means for protecting organizational assets and systems by implementing security controls that support early risk detection and resolution. The RMF achieves this by helping companies bring more structure and oversight to the system development life cycle by integrating cybersecurity and risk management into the early stages of the system development process.

While federal agencies are required to follow the RMF when developing systems for government platforms, the framework can also help non-government companies with IT risk management practices.   

Risk management framework steps

The RMF helps companies standardize risk management by implementing strict controls for information security. The newest version of the RMF, released in 2018, has seven steps you will need to follow to implement it properly. The ultimate goal of the seven-step RMF approach is to reach the Authorization to Operate (ATO) phase, which is when systems are allowed to go live in a government environment.

Here’s how to reach ATO by following these seven RMF steps:

  1. Prepare:  NIST added this step in revision 2 of RMF, recognizing the importance of preparing the organization to get the most value from RMF, critically focusing on communication. As NIST explains, “Prepare carries out essential activities at the organization, mission and business process, and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.”
  2. Categorize: This step pertains to how information is processed, stored and transmitted by the system in question. It requires you to define how the system interacts with other IT systems and networks, to understand what compliance measures you need to take, and to establish an architectural description of the system.
  3. Select: The Select step includes setting a baseline for security controls based on what category the risk falls into during step one. During the this step, you will make decisions about what baseline security controls you want to implement based on what category the risk falls into.
  4. Implement: The third step involves implementing the security measures established in step two. During this step, you should ensure your implementation process is well-documented in case you need to revisit your implementation after the next step.
  5. Assess: During the fourth step, it’s time to make sure everything is running as intended and that the controls are correctly applied to the system. The Assess step is when you check to see whether the categories and baseline security controls established in the first steps were implemented properly during implementation. If not, you’ll need to go back to the Implement step until everything runs smoothly before you can move onto the fifth step.
  6. Authorize: This is the step you’re ultimately trying to reach with RMF. You can move onto the fifth step based on how you do during the assessment phase. Once your categories and security controls have been properly implemented, that’s when the system can be granted or denied Authority to Operate (ATO). If it is denied, the Authorize step will be postponed until everything checks out.
  7. Monitor: Once the system controls are in place they need to be continually monitored. The ATO granted in the fifth phase is good for only three years and the entire process will need to be repeated once it expires.

RMF certification and training

All federal employees working for the DoD Information Assurance (IA) workforce need to be trained on RMF and qualified to implement RMF in the workplace, according to the DoD8570 mandate. To get trained and certified, there are several programs available that are designed to get you up to speed on RMF. Even if you aren’t working in a government IA job, these programs can still get you briefed on everything you need to know to implement the RMF in your development cycle.