Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Risk Management

Risk Management Framework: Quick Start Guides

The figure below can be used to link to the relevant FIPS, SPs, FAQs and Quick Start Guide documents for the RMF steps.

SP 800-39

The Risk Management Framework (RMF) provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of systems into the mission and business processes of the organization.

The NIST FAQs and Quick Start Guides build on the NIST standards and guidance, consolidate information from various NIST publications, and provide sample ways to implement the standards and guidelines. The links below point to supporting materials for each RMF Step include FAQs, Roles and Responsibilities Charts, and Quick Start Guides for each step in the Risk Management Framework.

Step 0: Prepare

Step 1: Categorize

Step 2: Select

Step 3: Implement

Step 4: Assess

Step 5: Authorize

Step 6: Monitor

The FAQs include a set of questions and answers that consolidate material from multiple NIST documents to provide information about each step of the framework. The questions in the FAQs are divided into four categories—general information describing the step, fundamental knowledge needed to understand and implement the activities required in the step, guidance to help organizations prepare for and implement the step, and step-by-step guidance to support those individuals applying the step to individual systems.

The Quick Start Guides are designed to provide an introduction to the NIST materials that support each step in the Risk Management Framework.

The Roles and Responsibilities Charts summarize the major roles involved in the Risk Management Framework as they pertain to each step in the framework.

The first guide for each step is from a management perspective providing an overview of the step and a summary of the documents supporting that portion of the framework. Each step also has additional guides that address the needs of the primary implementers of that step. For example, the primary implementers in the Categorize Step are the information security program office and the information owners/system owners; therefore, the Categorize Step has two Tips and Techniques—the first directed at the information security program office, Tips and Techniques for Organizations, and the second, Tips and Techniques for Systems, directed at the information owner/system owner that provides guidance to the individuals categorizing individual systems. The Implement, Assess, and Authorize Steps have additional guides to support the primary implementers of those steps. The Quick Start Guides provide implementation guidance and examples on how to plan for, conduct, and document the results. While the guides provide examples and sample documentation, they are not mandatory nor do they prescribe required formats. Additional templates are available from other sources.


Created November 30, 2016, Updated February 12, 2019