The Risk Management Framework (RMF) was originally developed by the Department
of Defense (DoD) and has been adopted by the rest of U.S. Federal Information Systems. The RMF process can be described in six main steps.
Step 1: Categorize
Step 2: Select
Step 3: Implement
Step 4: Assess
Step 5: Authorize
Step 6: Monitor
These steps help improve the security of the information system/application by implementing security controls that support early risk detection and resolution. The RMF
achieves this by helping companies bring more structure and oversight to the system
development life cycle by integrating cybersecurity and risk management into the early
stages of the system development process.
One of the main steps in the RMF is Step 2: Selecting the Security Controls. Security and
privacy controls were established by NIST and are fully documented in NIST SP 800-53,
Revision 5. Security and privacy controls are safeguards/countermeasures prescribed
for Information systems. During this step, you will make decisions about what baseline
security controls you want to implement based on what category the risk falls into.
These controls will protect the confidentiality, integrity, and availability of the system
and its information. It’s important to note that the risk management framework is not
simply a compliance drill. Security controls can be applied but not all can be satisfied.
Thus, you have to take steps to mitigate the vulnerability and understand the severity
of the residual risk and make a determination as to whether you want to operate a system under that risk posture.
Attacks on information systems today are often well-organized, disciplined, aggressive,
well-funded, and extremely sophisticated. Successful attacks on public and private
sector information systems could cause some serious harm. The ultimate goal of the
6-step RMF approach is to ensure that your information system is protected and secure
by implementing security controls and monitoring them regularly.