What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) has created a series of Special Publications (SP) that provide guidance to federal agencies on implementing the provisions of FISMA and related policies. These documents collectively define a comprehensive Risk Management Framework for information systems.

A key element of the Risk Management Framework (RMF) is the Security Authorization process (also known as the Certification and Accreditation, or C&A process) defined in NIST Special Publication 800-37.

Also key to the Risk Management Framework are NIST Special Publication 800-53, which contains a standardized set of Security Controls (requirements) for information systems, and 800-53a, which contains guidance on how to assess the effectiveness of these security controls.

Other important NIST documents include:

• Federal Information Processing Standard (FIPS) 199 and NIST SP 800-60, which deal with categorizing information systems and their data
• NIST SP 800-30, which provides guidance on risk assessment
• NIST SP 800-34, which provides guidance on developing contingency plans.

The NIST Security Authorization (or C&A) process is used by each of the federal “civilian” agencies as the basis of their own information security program. Agencies are now in the process of adapting and adopting other elements of the Risk Management Framework.