U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Select Step

At A Glance

RMF Select Step

 

Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk
 
Outcomes: 

  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

 


Resources for Implementers


FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

  • Specifies minimum security requirements for information and systems supporting the executive agencies of the federal government and a risk-based process for selecting the controls necessary to satisfy the minimum security requirements. 

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations 

  • Catalog of security and privacy controls for all types of systems and organizations.
  • The controls are flexible and customizable to meet mission and business needs, and are implemented as part of an organization-wide process to manage risk.

NIST SP 800-53B, Control Baselines for Information Systems and Organizations 

  • Security and privacy control baselines for the Federal Government.
    • Three security control baselines (one for each impact level - low-impact, moderate-impact, and high-impact).
    • Privacy control baselines applied to systems irrespective of impact level
  • Provides guidance on tailoring and development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.

 


Back to About the RMF

Created November 30, 2016, Updated October 19, 2021