Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

RMF Online Introductory Courses

 RMF Introductory Course Banner

The purpose of these courses is to provide those new to risk management with an introduction to key publications associated with the NIST Risk Management Framework (RMF) methodology for managing cybersecurity and privacy risk.

The RMF Online Introductory Courses are developed by NIST and available on-demand, and free of charge. Please refer first to the FAQ below for questions about course logistics, topics and content, initial troubleshooting of issues, and certificate of completion and course credit before reaching out to the team with questions.  

Select a course below to learn more and click the launch link to start the course in a new window.
 

Online Introductory Courses

NIST SP 800-37, Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

RMF Prepare Step

The purpose of this course is to provide people new to risk management with an overview of a methodology for managing organizational risk in accordance with NIST Special Publication (SP) 800-37, Revision 2For individuals with experience with NIST SP 800-37, Revision 1, this course explains updates to the RMF in Revision 2, including the integration of privacy and supply chain risk management into this holistic process. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.

This course describes at a high-level the importance of establishing an organization-wide risk management program, the information security legislation related to organizational risk management, the steps in the RMF, and the NIST publications related to each step. 

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations

SP 800-53

NIST SP 800-53 provides a comprehensive catalog of outcome-based security and privacy controls. The controls can be implemented in organizations of all types and sizes, as well as any type of system. The controls provide the safeguards to protect the confidentiality, integrity, and available of the systems and information, and manage privacy risks.  

This course introduces the structure and organization of the security and privacy controls in Revision 5 of the catalog. It also describes key considerations for the implementation of controls as part of an organization-wide risk management program.

NIST SP 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations

SP 800-53A

NIST SP 800-53A introduces an control assessment methodology and set of assessment procedures for the SP 800-53 controls. Control assessments are critical for understanding the overall effectiveness of implemented controls, and is essential in determining risk. 

This course introduces the structure and organization of the Revision 5 assessment procedures. It also describes, a methodology to build and tailor effective assessment plans, and how to report, analyze, and manage assessment results as part of an organization-wide risk management program.

NIST SP 800-53B, Control Baselines for Information Systems and Organizations

SP 800-53B

NIST SP 800-53B establishes security and privacy control baselines for systems and organizations, and provides tailoring guidance for those baselines. The security and privacy control baselines were developed specifically for federal systems but can serve as a starting point for any organization. 

Control baselines are collection of controls from SP 800-53 assembled to address specific protection needs for the low-impact, moderate-impact, high-impact systems, and meet privacy program requirements under Office of Management and Budget (OMB) Circular A-130.

This course introduces the structure and organization of the SP 800-53B security and privacy control baselines, and guidance on tailoring and development of control overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. 
Note SP 800-53B is a companion document to SP 800-53 Revision 5. 

Frequently Asked Questions

Q: Are these courses self-guided or instructor-led?

A: The courses provided are self-guided online courses.

 

Q: Is there a fee to access these courses?

A: No. The NIST materials provided on the CSRC website, including the RMF and SP 800-53 series introductory courses, are free to any interested party.

 

Q: Is registration required?

A: No. Registration is not required to access the courses.

 

Q: Do the courses include closed captioning?

A: Please click the “Notes” icon in the upper right-hand corner of the course player for a transcript of the slide narration.

 

Q: Do the course materials support the use of assistive technologies?

A: The course presentations have been designed and developed to meet our responsibilities under Section 508 of the Rehabilitation Act. The presentation player provides a screen-reading option in the upper-left corner of the web site that works with assistive technologies. The screen-reading option may not be available on some tablet or smart phone devices.

Q: What do these courses cover?

A: These courses provide a high-level overview of important security and privacy risk management concepts based directly on the material in the NIST special publications.

  • The RMF introductory course gives an overview of a methodology for managing organizational risk in accordance with NIST Special Publication (SP) 800-37, Revision 2.

  • The SP 800-53 introductory course explains the concepts of security and privacy controls and introduces the SP 800-53 control catalog.

  • The SP 800-53A introductory course explores a methodology and set of procedures for assessing and monitoring the effectiveness of SP 800-53 controls selected and implemented.

  • The SP 800-53B introductory course provides guidance for selecting controls from the SP 800-53 control catalog using security and privacy control baselines. This includes tailoring the selection of controls to best support the management of organizational and system risks.

For additional details about the content of each course, please see the full course description.

 

Q: Do I need to have any prior knowledge about cybersecurity concepts to understand the material in these courses?

A: Topics in the courses are addressed at a high-level, with references to supporting material. Individuals new to cybersecurity can benefit from reviewing NIST SP 800-12, An Introduction to Information Security, which explains basic cybersecurity concepts that can provide additional context to the material and examples presented in the course.

Additionally, the NIST Small Business Cybersecurity Corner provides a Cybersecurity Fundamentals presentation which illustrates basic cybersecurity and risk management concepts.

 

Q: Which course should I complete first?

A: There is no defined order for completing the courses. It may be helpful to understand the central concepts of the NIST Risk Management Framework (RMF) before starting the NIST SP 800-53 series courses, but it is not required.

Q: Do I need any specific hardware or software to access the courses?

A: The course presentations can be accessed using a web browser on a wide range of devices, including desktops, laptops, tablets, and smart phones.

 

Q: What web browser is best for viewing the course material?

A: To view the course content, please use an up-to-date version of Microsoft Edge, Mozilla Firefox, Google Chrome, or Safari browsers. For mobile device users, iOS 14 or Android 7 is recommended.

 

Q: Can I pause the course and resume it later?

A: You can leave the course at any time and resume it from where you left off by enabling cookies for this website in your browser. If you are using the browser in private or incognito mode, cookies are deleted after the browser is closed and the course cannot be resumed.

 

Q: Can I skip ahead to expedite the course?

A: Clicking on the “NEXT >” button will not allow you to advance to the next slide without viewing the entire current slide. It has been reported that manually skipping to the end of the current slide, using the slide timer, may cause the playback to freeze and require the course to be restarted.

 

Q: What should I do if I am encountering technical issues playing back the courses (e.g., buffering issues)?

A: This could be caused by many different issues. We recommend checking your internet connection, enabling cookies (so progress information can be temporarily saved), refreshing the page or restarting the internet browser, or trying the site again later.

Q: Is there a quiz at the end of each course?

A: No, there are no quizzes at the end of each course. The material in each course is provided for informational purposes only.

 

Q: Are certificates issued upon completion of the courses?

A: At the end of each course presented on this NIST website, a certificate of course completion is provided as a courtesy. The certificate only identifies that the course material was viewed and does not attest to any qualifications, knowledge, or skill level resulting from the completion of the course.

 

Q: How do I print the certificate of completion?

A: Use the browser's print option, generally found in the browser menu, to print or capture a PDF of the course certificate. Please add your name and the date of completion to the certificate.

 

Q: How can I earn Continuing Education Credits (CEC) or Continuing Professional Education (CPE) credits?

A: NIST does not issue CEC or CPE credits. Individuals who complete the online courses can capture the certificate, add their name and the date of course completion to the certificate.

Q: How can I get a copy of the course materials to share within my organization?

A: Slides for each course are available in PowerPoint format and includes transcription of the narration in the slide notes.  To download a copy of the slides, users must review and agree to the terms of use for each course.  Refer to the "Download Slides" button to access the terms of use that correspond with each course above.

If you are unable to access the Google Form to access the terms of use, please download and submit the PDF form and submit to sec-cert@nist.gov.  Please allow up to 5 business days for response if you submit the PDF form.  

The narrated course content is available in a variety of Learning Management System (LMS) formats, including AICC, cmi5, Experience API (xAPI), and SCORM (1.2, 2004). To request a copy of the course materials for Learning Management System (LMS) formats, contact the NIST Risk Management Framework (RMF) Team at sec-cert@nist.gov. Please indicate the course requested, the required format, and a valid email address for receiving the requested material.

 

Q: Can I use the course material to teach a class?

A: You may present the course materials to support your own cybersecurity learning program; however, attribution to NIST is appreciated. The use of certain NIST-produced content requires permission. Please contact the NIST Risk Management Framework (RMF) Team at sec-cert@nist.gov if you have any questions about using the course materials as part of your curriculum.

 

Q: Can NIST present this material to my organization as an instructor-led course?

A: The NIST Risk Management Framework (RMF) Team does not have instructors to teach these courses. If you are interested in having a representative from the NIST RMF Team present a more in-depth topic related to the RMF and supporting publications at an upcoming meeting or event, please complete and submit the speaker request form at least 2 weeks prior to the event, and allow up to 5 business days for a decision on the request to be made.

NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software.

NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.

You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.

The course is also available for organizations who wish to include it in their Learning Management Systems (LMS) in the following LMS standards: SCORM, AICC, xAPI, and cmi5.  For more information, please contact sec-cert@nist.gov.

Created November 30, 2016, Updated June 14, 2024