Ask Dr. RMF – Controls Freak

RMF “Controls Freak” asks:

I’m still fairly new at the profession, but since being assigned to an RMF project by my company, I have become rather obsessed with the RMF security controls. My ambition is to memorize all the controls and control enhancements in NIST 800-53 so that if someone says “MA-3”, for example, I will be able to quote the control text verbatim. Is this a reasonable ambition, Dr. RMF, and do you think it will lead to future promotions?

Dr. RMF Responds:

First of all, true confession. Back in his younger days, Dr. RMF did exactly what you’re talking about, but with the DIA-CAP controls. There were only about 100 of those, so it wasn’t quite the same. Now you realize there are well over a thousand controls and control enhancements in the NIST SP 800-53 Rev 5. Dr. RMF believes it would definitely be a major undertaking to memorize them all, but I’m sure it can be done. After all, medical students memorize the name and function of every bone, muscle, nerve and blood vessel in the body. Yeah, they’re pretty smart folks, but so are a lot of us cybersecurity professionals. Just sayin’…

However, just because it’s a “monumental achievement” to memorize all the RMF controls doesn’t mean it’s something you should spend your time doing. It’s kind of like climbing Mount Everest, but without the risk of death … unless you’re foolish enough to walk across a city street with your head buried in the 800-53 document! Sure, memorizing the RMF controls might get you some “geek cred” in cybersecurity circles, but it is unlikely to get you a promotion on the job. There are much better ways to spend your time furthering your cybersecurity knowledge and skills. Get some more training (from BAI, of course), pick up a new certification, you get the drill. Those kind of things are far more likely to advance your career than becoming the uber-geek of RMF controls!

Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.

Want to see more of Dr. RMF? Watch our Dr. RMF video collection at

Dr. RMF submissions can be made at

Post Categories: Dr. RMFRisk Management Framework Tags: