For your convenience, BAI has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no restrictions on usage or distribution.

Laws and Executive Branch Polices

Federal Information Security Management Act (FISMA), 2014

 OMB Circular A-130 (Managing Information as a Strategic Resource)

Federal Information Processing Standards (FIPS) Publications

FIPS 199 (Security Categorization), February 2004

FIPS 200 (Minimum Security Controls), March 2006

NIST Special Publications (SP)

SP 800-12 (An Introduction to Information Security), June 2017

SP 800-18 (Security Plans),  Feb  2006

SP 800-30 (Risk Assessment), September 2012

SP 800-34 (Contingency Planning), May 2010

SP 800-37 Rev 2 (Risk Management Framework), December 2018

SP 800-39 (Organizational Risk Management), March 2011

SP 800-53 Rev. 4 (Security and Privacy Controls for Federal Information Systems and Organizations), January 2014

SP 800-53A Rev 4 (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans), December 2014

SP 800-55 Rev 1 (Performance Measurement Guide for Information Security), July 2008

SP 800-59 (National Security Systems), August 2003

SP 800-60 Rev. 1 (Security Categorization), Volume 1, August 2008

SP 800-60 Rev. 1 (Security Categorization), Volume 2, August 2008

SP 800-61 Rev. 2(Incident Response Planning), August 2012

SP 800-137 (Assessing Information Security Continuous Monitoring (ISCM)Programs: Developing an ISCM Program Assessment), September 2011 

SP 800-137A (Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment), May 2020 

IR 7298 (Glossary of Key Information Security Terms) 

Committee on National Security Systems (CNSS) Publications

CNSSP 22 (Risk Management Policy for NSS) 


CNSSI 1254 (Risk Management Framework Documentation Data Element Standards and Reciprocity Process for NSS)

CNSSI 4009 (Committee on National Security Systems (CNSS) Glossary) 

Classified Information Overlay

Privacy Overlays

Department of Defense Instructions (DoDI)

DoDI 8500.01 (Cybersecurity) 

DoDI 8510.01 (RMF for DoD IT) 

Intelligence Community (IC) Publications

ICD 503 (Risk Management, Certification and Accreditation) 

DISA Cloud Computing Supplemental Guidance and Information

DISA Cloud Computing Security Requirements Guide v1r3   |   Online Version

Best Practices Guide for DoD Cloud Mission Owners

Cloud Connection Process Guide v2

Cloud Related Baselines and eMASS Cloud Overlays Ver. 1, Rel 1

DoD Cloud Cyberspace Protection Guide

DoD Cyber Activities Performed for Cloud Service Memo

Secure Cloud Computing Architecture (SCCA) Functional Requirements (FR) v2-9