Step 1
Prepare
Carry out the activities at the organization and system levels that set up the rest of the process: assign roles, define a risk management strategy, and conduct an organization-wide risk assessment.
Framework guide · ~10 min read · Updated June 2026
The NIST Risk Management Framework (RMF): the 7 steps explained
The NIST Risk Management Framework (RMF) is a structured 7-step process, defined in NIST SP 800-37 Revision 2, for managing security and privacy risk and authorizing information systems to operate. The seven steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. It is the process U.S. federal agencies and their contractors use to meet FISMA.
- Source
- SP 800-37
- Revision
- Rev 2
- Steps
- 7
- Drives
- FISMA, ATO
01 · Definition
What is the NIST Risk Management Framework?
The NIST Risk Management Framework (RMF) is a disciplined, structured process for integrating security, privacy, and cyber supply chain risk management into the system development life cycle. It is published by the National Institute of Standards and Technology (NIST) in Special Publication 800-37, currently Revision 2.
The RMF gives organizations a repeatable way to select and apply controls, assess whether those controls work, and make a documented, risk-based decision about whether a system should operate. It is built around seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The process is not a one-time event: the final step feeds continuous monitoring back into the earlier steps as systems and threats change.
"The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk."
02 · Scope
Who the RMF applies to
The RMF was created for U.S. federal agencies and is the process they use to meet their obligations under the Federal Information Security Modernization Act (FISMA). Federal contractors and service providers that operate systems on behalf of agencies are generally expected to follow it as well, which is why the RMF shows up across government cloud, defense, and integrator programs.
Outside the federal context, the RMF is not a legal requirement. Even so, many private organizations adopt it voluntarily because it is a mature, well-documented method for managing risk. If you are weighing frameworks more broadly, see our overview of what risk management is and the NIST Cybersecurity Framework.
03 · The process
The 7 RMF steps
SP 800-37 Revision 2 defines seven steps. The table summarizes what happens at each one and the key NIST reference that supports it.
Step 2
Categorize
Categorize the system and the information it processes, stores, and transmits based on an impact analysis (the potential impact of a loss of confidentiality, integrity, and availability).
Step 3
Select
Select an initial set of controls for the system, tailor them to the conditions and risk, and document the decisions in a security and privacy plan.
Step 4
Implement
Implement the controls and describe how they are deployed within the system and its environment of operation.
Step 5
Assess
Assess the controls to determine whether they are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements.
Step 6
Authorize
A senior official makes a risk-based decision to authorize the system to operate, accepting the residual risk. A successful decision yields an authorization to operate (ATO).
Step 7
Monitor
Continuously monitor the system and its controls: track changes, assess control effectiveness on an ongoing basis, and report the security and privacy posture to support ongoing authorization.
| Step | What happens | Key NIST reference |
|---|---|---|
| 1.Prepare | Carry out the activities at the organization and system levels that set up the rest of the process: assign roles, define a risk management strategy, and conduct an organization-wide risk assessment. | NIST SP 800-37, SP 800-30, SP 800-39 |
| 2.Categorize | Categorize the system and the information it processes, stores, and transmits based on an impact analysis (the potential impact of a loss of confidentiality, integrity, and availability). | FIPS 199, NIST SP 800-60 |
| 3.Select | Select an initial set of controls for the system, tailor them to the conditions and risk, and document the decisions in a security and privacy plan. | FIPS 200, NIST SP 800-53, SP 800-53B |
| 4.Implement | Implement the controls and describe how they are deployed within the system and its environment of operation. | NIST SP 800-53 |
| 5.Assess | Assess the controls to determine whether they are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements. | NIST SP 800-53A |
| 6.Authorize | A senior official makes a risk-based decision to authorize the system to operate, accepting the residual risk. A successful decision yields an authorization to operate (ATO). | NIST SP 800-37 |
| 7.Monitor | Continuously monitor the system and its controls: track changes, assess control effectiveness on an ongoing basis, and report the security and privacy posture to support ongoing authorization. | NIST SP 800-137 |
Prepare was added in Revision 2. Earlier versions of the framework described six steps; the seven-step model is the current one.
04 · The publications
How the RMF connects to 800-53 and FIPS
The RMF is the process, but it leans on a family of supporting NIST publications at specific steps. Understanding how they fit together is the fastest way to understand the framework as a whole.
- FIPS 199 and FIPS 200
FIPS 199 sets the standards for categorizing systems by impact level, which drives the Categorize step. FIPS 200 sets the minimum security requirements that frame which controls a system must consider in the Select step.
- NIST SP 800-53
SP 800-53 is the catalog of security and privacy controls. It is the source you draw from in the Select step and implement in the Implement step. SP 800-53B provides the control baselines that map to the FIPS 199 impact levels.
- NIST SP 800-53A
SP 800-53A provides the assessment procedures used in the Assess step to determine whether the controls from 800-53 are implemented correctly and operating as intended.
In short: FIPS 199 tells you how big the problem is, FIPS 200 and 800-53 tell you which controls apply, 800-53A tells you how to check them, and 800-37 (the RMF) is the process that ties it all together into an authorization decision.
05 · Implementation
How to operationalize the RMF with software
The RMF is straightforward to describe and demanding to run. Most of the effort goes into evidence: tracking control implementation, assessment results, and the continuous monitoring that supports ongoing authorization. Spreadsheets buckle under that load.
From process to evidence
Run the RMF as a scored, evidenced assessment.
RiskWatch maps the SP 800-53 control catalog to a shared control library, runs the risk assessment behind the Categorize and Select steps, captures assessment results for the Assess step, and keeps the continuous-monitoring trail your authorizing official needs to maintain an authorization to operate. See how it works for NIST 800-53 compliance management and broader risk management.
06 · Frequently asked
NIST RMF, answered
The questions teams ask most when adopting the framework.
How many steps are in the NIST RMF?
The NIST Risk Management Framework has 7 steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The Prepare step was added in NIST SP 800-37 Revision 2 in 2018; earlier versions of the framework described 6 steps without it. The steps are sequential for a new system, but the framework is a continuous cycle: the Monitor step feeds changes back into the earlier steps over the life of the system.
What is the difference between the NIST RMF and the NIST CSF?
The NIST Risk Management Framework (RMF), defined in SP 800-37, is a structured 7-step process for managing security and privacy risk and authorizing systems to operate. It is mandatory for most U.S. federal information systems. The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework organized around functions (Identify, Protect, Detect, Respond, Recover, and Govern in CSF 2.0) that any organization can adopt. The RMF is a how-to process; the CSF is a way to describe and communicate cybersecurity outcomes. They are complementary and often used together.
What is an authorization to operate (ATO)?
An authorization to operate (ATO) is the formal decision by a senior official, the authorizing official, to accept the risk of operating an information system and to permit it to run. It is the output of the Authorize step of the RMF. The authorizing official reviews the security and privacy plan, the assessment results, and the residual risk, then issues the authorization, often for a defined period or under ongoing authorization tied to continuous monitoring.
Is the NIST RMF mandatory?
For U.S. federal agencies, the RMF is effectively mandatory: it is the process agencies use to meet their obligations under the Federal Information Security Modernization Act (FISMA), and federal contractors that operate systems on behalf of agencies are generally required to follow it as well. Outside the federal context, the RMF is not legally required, but private organizations often adopt it voluntarily because it is a mature, well-documented approach to managing security and privacy risk.
What is NIST SP 800-37?
NIST Special Publication 800-37 is the document that defines the Risk Management Framework. The current version is Revision 2, titled 'Risk Management Framework for Information Systems and Organizations.' It describes the 7 RMF steps, the roles and responsibilities involved, and how the framework integrates security and privacy risk management into the system development life cycle.
Primary references
Related reading: NIST Cybersecurity Framework, NIST 800-171, and the NIST CSF to ISO 27001 crosswalk.
From the framework to an authorization
Run the NIST RMF as a scored assessment.
SP 800-53 controls on a shared control library, the risk assessment behind Categorize and Select, captured assessment results, and the continuous-monitoring trail that keeps an authorization to operate alive. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime