Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Prepare Step

At A Glance

RMF Prepare Step


Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

  • key risk management roles identified
  • organizational risk management strategy established, risk tolerance determined
  • organization-wide risk assessment
  • organization-wide strategy for continuous monitoring developed and implemented
  • common controls identified


Resources for Implementers

​​​​NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View

  • Guidance for organization-wide information security risk management as a complement to Enterprise Risk Management (ERM) programs
  •  Identifies components of and process for risk management (Frame Risk, Assess Risk, Respond to Risk, and Monitor Risk) and the levels of organizational risk management (Organization, Mission/Business Process, and Systems) 

NIST SP 800-30, Guide for Conducting Risk Assessments 

  • Guidance and a repeatable, flexible methodology for conducting risk assessments at all levels of the organization (Organization, Mission/Business Process, and System)
  • Includes multiple appendices for implementer to use for: threat source identification, examples of threat events, determine adverse impact, determine level of risk, templates for determining non-adversarial and adversarial risk and developing risk assessment reports

NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems 

  • Guidance on developing system security plans; includes a system security plan template

NIST SP 800-160, Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems 

  • Guidance on including security into systems engineering processes; builds on systems engineering standard, ISO/IEC/IEEE 15288.

NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  • An introduction to the concepts of privacy engineering and risk management, the basis for a common vocabulary for privacy risk, and definition of privacy engineering objectives and a privacy risk model 


Back to About the RMF

Created November 30, 2016, Updated June 14, 2024