Skip to main content

The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors. The stated goals of RMF are to:

  • Improve information security
  • Strengthen risk management processes
  • Encourage reciprocity among federal agencies

Through implementation of RMF, federal agencies can achieve compliance with policy directives such as the Federal Information Security Modernization Act (FISMA), and Office of Management and Budget (OMB) Circular A-130 .

RMF effectively transforms traditional Certification and Accreditation (C&A) programs into a six-step life cycle process consisting of:

0. Prepare
1. Categorization of information systems
2. Selection of security controls
3. Implementation of security controls
4. Assessment of security controls
5. Authorization of information systems
6. Monitoring of security controls

The National Institute of Standards and Technology (NIST), in partnership with the Joint Task Force Transformation Initiative (JTFTI), has developed a series of publications that provide detailed guidance on RMF implementation, categorization, security controls, etc.

The Committee on National Security Systems (CNSS) has developed the following publications that provide clarification of the NIST publications and additional requirements for implementing RMF for systems designated as NSS.

RMF is now the standard process within the major “sectors” of the federal government:


RMF for DoD IT Training

RMF for DoD IT training program is suitable for DoD employees and contractors. This four-day program includes comprehensive coverage on policy background, roles and responsibilities, lifecycle process, security controls/assessment and documentation.  RMF for DoD IT is offered in a one day fundamentals class or the four day full program.

Learn More               REGISTER NOW