What is RMF?

The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors. The stated goals of RMF are:

• To improve information security
• To strengthen risk management processes
• To encourage reciprocity among federal agencies

Through implementation of RMF, federal agencies can achieve compliance with policy directives such as the Federal Information Security Management Act (FISMA), and Office of Management and Budget (OMB) Circular A-130.

RMF effectively transforms traditional Certification and Accreditation (C&A) programs into a six-step life cycle process consisting of:

1. Categorization of information systems
2. Selection of security controls
3. Implementation of security controls
4. Assessment of security controls
5. Authorization of information systems
6. Monitoring of security controls

The National Institute of Standards and Technology (NIST), in partnership with the Joint Task Force Transformation Initiative (JTFTI), has developed a series of publications that provide detailed guidance on RMF implementation, categorization, security controls, etc.

• NIST Special Publication (SP) 800-37 (Rev. 1) – contains detailed guidance on the RMF roles, responsibilities, and life cycle process
• Federal Information Processing Standard (FIPS) Publication 199 and NIST SP 800-60 – contain information on categorization of systems and data
• FIPS 200 and NIST SP 800-53 (Rev. 3) – contain details on the security controls (requirements) for federal information systems
• NIST SP 800-53A (Rev. 1) – contains guidance on security controls assessment
• NIST SP 800-137 – contains guidance on security controls monitoring

The Committee on National Security Systems (CNSS) has developed the following publications that provide clarification of the NIST publications and additional requirements for implementing RMF for systems designated as NSS.

• NIST SP 800-59 – contains criteria for designation of an IT system as a National Security System (NSS)
• CNSS Publication (CNSSP) 22 – clarifies the implementation of RMF in NSS
• CNSS Instruction (CNSSI) 1253 – provides further specifications for system categorization and security controls applicable to NSS

Implementation of RMF is now underway within the major “sectors” of the federal government:

• Federal "civil" agencies
• Intelligence Community (IC) agencies
• Department of Defense (DoD) components