Page History

...

The RMF describes a six-step structured, yet flexible approach that can be used to determine the appropriate level of risk mitigation needed to protect the information systems, information, and infrastructure supporting organizational mission/business processes from serious threats. These steps include: 1) Categorize the information system; 2) Select security controls; 3) Implement security controls; 4) Assess security controls; 5) Authorize the information system; and 6) Monitor security controls. The RMF is designed to guide organizations in developing good practices for securing their information and information systems by helping leadership understand the current status of its security programs and the security controls planned or in place to protect Federal information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The RMF provides a methodology that can be applied in an iterative manner to both new and legacy information systems within the context of the system development life cycle (SDLC) and the Federal Enterprise Architecture (FEA). For each of the six steps of the framework, NIST has developed standards and guidance to enable organizations to effectively apply the framework to the information systems supporting the organization's mission/business processes. The RMF is defined in the National Institute of Standards and Technology's (NIST) Guide for Applying the NIST Special Publication 800-37 rev. 2, Risk Management Framework to Federal Information Systems (also known as Special Publication 800-37)for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

Security Assessment Report (SAR)

...