NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

Risk management framework (RMF) ---
frequently asked questionS (FAQ's), Roles and responsibilities & quick start guides (QSG's)

 

The 6-step chart below can be used to link to FIPS, SP’s, FAQ’s and Quick Start Guide documents for the RMF steps. To access the respective documents for that step, place the cursor over the document and click the mouse button to link to that document. The menu on the left side of the page can also be used to access the FAQ’s and Quick Start Guides for each step in the RMF.

Risk Management Framework Flowchart - 6 Steps SP 800-39 FIPS 199 SP 800-60 Revision 1 SP 800-53A Revision 1 SP 800-37 Revision 1 FIPS 200 SP 800-53 Revision 3 SP 800-70 SP 800-53A Revision 1 SP 800-37 Revision 1 Step 1: Categorize FAQs / Quick Start Guides Step 2: Select FAQs / Quick Start Guides Step 3: Implement FAQs / Quick Start Guides -- Work in progress Step 4: Assess FAQs / Quick Start Guides -- Work in progress Step 5: Authorize FAQs / Quick Start Guides -- Work in progress Step 6: Monitor FAQs / Quick  Start Guides SP 800-137

The Risk Management Framework provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization. The risk management concepts are intentionally broad-based with the specific details of assessing risk and employing appropriate risk mitigation strategies provided by the supporting NIST security standards and guidelines. The NIST FAQs and Quick Start Guides build on the NIST standards and guidance, consolidate information from various NIST publications, and provide sample ways to implement the standards and guidelines.

Developing the NIST Risk Management Framework and supporting documentation is a dynamic process where the risk management concepts and related documents are continually being refined and updated to better meet the needs of the user community. This means that the FAQs and Quick Start Guides may be based on evolving ideas documented in draft NIST standards and guidance or reference documents that have been superseded by a later version. The FAQs and Quick Start Guides will be updated regularly as NIST standards and publications change. The supporting materials include FAQs, Roles and Responsibilities Charts, and Quick Start Guides for each step in the Risk Management Framework.

The FAQs include a set of questions and answers that consolidate material from multiple NIST documents to provide information about each step of the framework. The questions in the FAQs are divided into four categories—general information describing the step, fundamental knowledge needed to understand and implement the activities required in the step, guidance to help organizations prepare for and implement the step, and step-by-step guidance to support those individuals applying the step to individual information systems.

The Roles and Responsibilities Charts summarize the major roles involved in the Risk Management Framework as they pertain to each step in the framework.

The Quick Start Guides are designed to provide an introduction to the NIST materials that support each step in the Risk Management Framework. The first guide for each step is from a management perspective providing an overview of the step and a summary of the documents supporting that portion of the framework. Each step also has additional guides that address the needs of the primary implementers of that step. For example, the primary implementers in the Categorize Step are the information security program office and the information owners/information system owners; therefore, the Categorize Step has two Tips and Techniques—the first directed at the information security program office, Tips and Techniques for Organizations, and the second, Tips and Techniques for Systems, directed at the information owner/information system owner that provides guidance to the individuals categorizing individual information systems. The Implement, Assess, and Authorize Steps have additional guides to support the primary implementers of those steps. The Quick Start Guides provide implementation guidance and examples on how to plan for, conduct, and document the results. While the guides provide examples and sample documentation, they are not mandatory nor do they prescribe required formats. Additional templates are available from other sources.

Step 1: Categorize Step 2: Select Step 3: Implement
  • FAQs
  • Roles & Responsibilities
  • Quick Start Guides
    • Management Perspective
    • Organizational Perspective
    • Tips & Techniques for Organizations
    • System Perspective
    • Tips & Techniques for Systems
       
  • FAQs
  • Roles & Responsibilities
  • Quick Start Guides
    • Management Perspective
    • Organizational Perspective
    • Tips & Techniques for Organizations
    • System Perspective
    • Tips & Techniques for Systems
  • FAQs
  • Roles & Responsibilities
  • Quick Start Guides
    • Management Perspective
    • Organizational Perspective
    • TIps & Techniques for Organizations
    • System Perspective
    • Tips & Techniques for Systems
       

Step 4: Assess Step 5: Authorize Step 6: Monitor
  • FAQs
  • Roles & Responsibilities
  • Quick Start Guides
    • Management Perspective
    • Organizational Perspective
    • Tips & Techniques for Organizations
    • System Perspective
    • Tips & Techniques for Systems
  • FAQs
  • Roles & Responsibilities
  • Quick Start Guides
    • Management Perspective
    • Organizational Perspective
    • Tips & Techniques for Organizations
    • System Perspective
    • Tips & Techniques for Systems
       
  • FAQs
  • Roles & Responsibilities
  • Quick Start Guides
    • Management Perspective
    • Organizational Perspective
    • Tips & Techniques for Organizations
    • System Perspective
    • TIps & Techniques for Systems

Back to Top