The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors. The stated goals of RMF are:

  • To improve information security
  • To strengthen risk management processes
  • To encourage reciprocity among federal agencies

Through implementation of RMF, federal agencies can achieve compliance with policy directives such as the Federal Information Security Management Act (FISMA), and Office of Management and Budget (OMB) Circular A-130 .

RMF effectively transforms traditional Certification and Accreditation (C&A) programs into a six-step life cycle process consisting of:

  1. Categorization of information systems
  2. Selection of security controls
  3. Implementation of security controls
  4. Assessment of security controls
  5. Authorization of information systems
  6. Monitoring of security controls

The National Institute of Standards and Technology (NIST), in partnership with the Joint Task Force Transformation Initiative (JTFTI), has developed a series of publications that provide detailed guidance on RMF implementation, categorization, security controls, etc.

The Committee on National Security Systems (CNSS) has developed the following publications that provide clarification of the NIST publications and additional requirements for implementing RMF for systems designated as NSS.

Implementation of RMF is now underway within the major “sectors” of the federal government: