Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Select Step

At A Glance

RMF Select Step


Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk

  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved


Resources for Implementers

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

  • Specifies minimum security requirements for information and systems supporting the executive agencies of the federal government and a risk-based process for selecting the controls necessary to satisfy the minimum security requirements. 

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations 

  • Catalog of security and privacy controls for all types of systems and organizations.
  • The controls are flexible and customizable to meet mission and business needs, and are implemented as part of an organization-wide process to manage risk.

NIST SP 800-53B, Control Baselines for Information Systems and Organizations 

  • Security and privacy control baselines for the Federal Government.
    • Three security control baselines (one for each impact level - low-impact, moderate-impact, and high-impact).
    • Privacy control baselines applied to systems irrespective of impact level
  • Provides guidance on tailoring and development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.


Back to About the RMF

Created November 30, 2016, Updated April 10, 2024