- CSRC Home
- Projects / Research
- news & events
Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)
The 6-step chart below can be used to link to FIPS, SP’s, FAQ’s and Quick Start Guide documents for the RMF steps. To access the respective documents for that step, place the cursor over the document and click the mouse button to link to that document. The menu on the left side of the page can also be used to access the FAQ’s and Quick Start Guides for each step in the RMF.
The Risk Management Framework provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization. The risk management concepts are intentionally broad-based with the specific details of assessing risk and employing appropriate risk mitigation strategies provided by the supporting NIST security standards and guidelines. The NIST FAQs and Quick Start Guides build on the NIST standards and guidance, consolidate information from various NIST publications, and provide sample ways to implement the standards and guidelines.
Developing the NIST Risk Management Framework and supporting documentation is a dynamic process where the risk management concepts and related documents are continually being refined and updated to better meet the needs of the user community. This means that the FAQs and Quick Start Guides may be based on evolving ideas documented in draft NIST standards and guidance or reference documents that have been superseded by a later version. The FAQs and Quick Start Guides will be updated regularly as NIST standards and publications change. The supporting materials include FAQs, Roles and Responsibilities Charts, and Quick Start Guides for each step in the Risk Management Framework.
The FAQs include a set of questions and answers that consolidate material from multiple NIST documents to provide information about each step of the framework. The questions in the FAQs are divided into four categories—general information describing the step, fundamental knowledge needed to understand and implement the activities required in the step, guidance to help organizations prepare for and implement the step, and step-by-step guidance to support those individuals applying the step to individual information systems.
The Roles and Responsibilities Charts summarize the major roles involved in the Risk Management Framework as they pertain to each step in the framework.
The Quick Start Guides are designed to provide an introduction to the NIST materials that support each step in the Risk Management Framework. The first guide for each step is from a management perspective providing an overview of the step and a summary of the documents supporting that portion of the framework. Each step also has additional guides that address the needs of the primary implementers of that step. For example, the primary implementers in the Categorize Step are the information security program office and the information owners/information system owners; therefore, the Categorize Step has two Tips and Techniques—the first directed at the information security program office, Tips and Techniques for Organizations, and the second, Tips and Techniques for Systems, directed at the information owner/information system owner that provides guidance to the individuals categorizing individual information systems. The Implement, Assess, and Authorize Steps have additional guides to support the primary implementers of those steps. The Quick Start Guides provide implementation guidance and examples on how to plan for, conduct, and document the results. While the guides provide examples and sample documentation, they are not mandatory nor do they prescribe required formats. Additional templates are available from other sources.
|Step 1: Categorize||Step 2: Select||Step 3: Implement|
|Step 4: Assess||Step 5: Authorize||Step 6: Monitor|