Skip to main content

RMF Publications

NIST SPECIAL PUBLICATIONS (SP)

SP 800-12 (An Introduction to Information Security), June 2017
SP 800-18 (Security Plans),  Feb  2006
SP 800-30 (Risk Assessment), September 2012
SP 800-34 (Contingency Planning), May 2010
SP 800-37 Rev 2 (Risk Management Framework), December 2018
SP 800-39 (Organizational Risk Management), March 2011
SP 800-53 Rev. 4 (Security and Privacy Controls for Federal Information Systems and Organizations), January 2014
SP 800-53A Rev 4 (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans), December 2014
SP 800-53B Rev 4 (Control Baselines for Information Systems and Orgainzations), October 2020
SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), September 2020

Analysis of updates between 800-53 Rev. 5 and Rev. 4, by MITRE Corp. for ODNI, December 2020 (xls)
Mapping: Appendix J Privacy Controls (Rev. 4) to Rev. 5, December 2020 (xls)
Mappings: Cybersecurity Framework and Privacy Framework to Rev. 5 (xls), December 2020 (xls)

SP 800-55 Rev 1 (Performance Measurement Guide for Information Security), July 2008
SP 800-59 (National Security Systems), August 2003
SP 800-60 Rev. 1 (Security Categorization), Volume 1, August 2008
SP 800-60 Rev. 1 (Security Categorization), Volume 2, August 2008
SP 800-61 Rev. 2(Incident Response Planning), August 2012
SP 800-137 (Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations), September 2011 
SP 800-137A (Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment), May 2020 
IR 7298 (Glossary of Key Information Security Terms) 

Recent Posts / View All Posts

Which Security Controls Are Required? A Definitive Answer

| Uncategorized | No Comments
By Amanda Lowell, Security+CE, RDRP Folks frequently reach out to BAI to ask, “Which security controls are required for X kind of DoD system?” It’s a valid question that can also be indicative of a common misconception.  The short answer is, you will have certain control overlays for your information…

RMF vs CSF: Which is better?

| Uncategorized | No Comments
By Kathryn Daily, CISSP, CGRC, RDRP         I know it’s a catchy headline, but it’s the wrong question to ask.  NIST RMF and CSF are two totally different animals with a different purpose.  NIST RMF is primarily focused on managing overall organizational risk, providing a structured approach…

CGRC – Governance, Risk and Compliance Certification vs. Certified Authorization Professional (CAP) Update

| Uncategorized | No Comments
By: Philip D. Schall, Ph.D., CISSP As many of you recall from an article written by Kathryn Daily in our January 2023 edition of RMF Today and Tomorrow titled CAP Becomes CGRC What Does this Mean? beginning February 15, 2023, ISC2 renamed the Certified Authorization Professional (CAP) certification to CGRC…