NIST SP 800-37
Risk Management Framework on one operating record

NIST SP 800-37 Risk Management Framework (RMF) explained

NIST Special Publication 800-37 Revision 2 (December 2018), titled the Risk Management Framework for Information Systems and Organisations, is the seven-step framework federal agencies, FedRAMP cloud service providers, defence contractors, regulated enterprises, and any organisation operating under FISMA reads against to manage information system security and privacy risk. The framework expanded from six steps to seven in Revision 2 with the addition of the Prepare step at both the organisation and system level, and integrated privacy controls and supply chain risk management into the operating sequence.

For internal security teams, AppSec teams, GRC owners, vulnerability management functions, security architects, security engineering teams, and CISOs, RMF is the vocabulary that lets a security programme communicate consistently across federal procurement reviews, the FedRAMP authorisation, the CMMC certification, audit committees, and enterprise customer security questionnaires. Programmes already operating against NIST SP 800-53, NIST CSF 2.0, or ISO 27001 do not migrate to RMF; the framework reads as the federal-side operating sequence that places those control catalogues into a structured authorisation lifecycle.

The seven steps: Prepare, Categorise, Select, Implement, Assess, Authorise, Monitor

RMF Revision 2 organises the framework into seven sequential steps. The steps are sequential in dependency, not strictly in calendar time: continuous monitoring produces evidence the next reauthorisation reads against, so the framework operates as a cycle rather than as a one-off project. Each step has named tasks, named roles, named artefacts, and a specified output that the next step reads against.

FIPS 199 categorisation: low, moderate, high

The Categorise step reads against FIPS Publication 199 for the impact-level determination. The categorisation drives the control baseline selected in Step 3, the assessment depth in Step 5, the AO seniority in Step 6, and the continuous monitoring cadence in Step 7. The decision applies to confidentiality, integrity, and availability independently; the high-water-mark across the three drives the overall system categorisation.

Named roles and artefacts the framework expects

RMF names roles and artefacts with specific responsibilities. The named roles give the framework an accountability layer the assessment, the authorisation, and the continuous monitoring read against. Programmes that adopt RMF without designating the named roles end up with unsigned artefacts and an assessment trail that does not name the responsible parties.

• Risk Executive (function): the senior-leadership role that holds organisation-wide risk management responsibility and ensures the risk decisions across systems are consistent with the organisation risk tolerance.
• Authorising Official (AO): the senior official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk. The AO signs the authorisation decision.
• Senior Agency Information Security Officer (SAISO): the official responsible for carrying out the CIO responsibilities for information security under FISMA.
• Information System Owner: the official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of the system.
• Information Owner / Steward: the official with statutory, management, or operational authority for specified information and the responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal.
• Information System Security Officer (ISSO): the official responsible to the AO, the CIO, or the System Owner for ensuring the appropriate operational security posture is maintained for the system.
• Control Assessor: the individual, group, or organisation responsible for conducting the comprehensive assessment of the management, operational, and technical security controls.
• Security Control Assessor (SCA): synonymous with Control Assessor in many federal programmes. The SCA produces the Security Assessment Report.
• Common Control Provider: the organisation responsible for the development, implementation, assessment, and monitoring of common controls inherited by multiple systems.
• Plan of Action and Milestones (POA&M): the artefact that captures the remediation commitments arising from the assessment, with the assigned owner, the required resources, the milestones, the scheduled completion date, and the status.
• System Security Plan (SSP): the artefact that describes the system, the system boundary, the security categorisation, the selected controls, the tailoring decisions, the parameters, and the implementation evidence per control.
• Security Assessment Report (SAR): the artefact that documents the assessor findings, the recommendations, and the residual risk assessment after assessment of the implemented controls.
• Authorisation Decision Document (ADD): the artefact that captures the AO authorisation decision, the terms and conditions of authorisation, the authorisation termination date, and the supporting basis.

Where RMF sits next to NIST CSF 2.0, NIST 800-53, FedRAMP, and CMMC

RMF is the operating sequence that places the NIST SP 800-53 control catalogue into a structured authorisation lifecycle. The two are paired: 800-37 is the process framework, 800-53 is the control catalogue. NIST CSF 2.0 is the outcomes-oriented framework boards and senior leaders read against; CSF describes what to achieve, RMF describes how a federal system authorises and operates against the controls that achieve it. FedRAMP is the cloud-service-provider authorisation programme that operates RMF with FedRAMP-specific baselines, the FedRAMP Program Management Office, and the JAB or Agency authorisation paths. CMMC is the Department of Defense certification programme for defence contractors that reads CUI-handling controls from NIST SP 800-171 (which derives from 800-53) and assesses contractor maturity at the named CMMC levels. A regulated programme that operates under FISMA, sells to federal civilian agencies, sells to the Department of Defense, or provides cloud services to the federal government typically reads multiple of these frameworks together; RMF is the operating sequence the others place into.

Recurring failure modes RMF programmes hit

Programmes that struggle with RMF typically hit a small set of recurring failure modes. Naming the failure modes upfront lets the programme design controls to avoid them rather than discovering them during the AO defence.

Evidence the framework expects to see

A defensible RMF programme produces a stable evidence set across the seven steps. The artefact set is the authorisation package the AO signs against and the same evidence the continuous monitoring, the reauthorisation, and the parallel framework reads (ISO 27001 audit, SOC 2 examination, FedRAMP assessment, CMMC assessment) consume.

• System Security Plan (SSP) with the system description, the system boundary, the FIPS 199 categorisation, the selected controls with tailoring rationale, the parameters, the implementation evidence reference per control, and the ISSO and SO signatures
• Security Assessment Report (SAR) with the assessment procedures applied, the findings per control, the severity per finding, the recommended remediation, and the assessor signature
• Plan of Action and Milestones (POA&M) with the per-finding owner, the required resources, the milestones, the scheduled completion date, the status, and the per-update history
• Authorisation Decision Document (ADD) with the AO authorisation decision, the terms and conditions, the authorisation termination date, the residual risk assessment, and the AO signature
• Continuous Monitoring Strategy and the per-cycle monitoring evidence: configuration change reviews, vulnerability scan reports, audit log review records, control reassessment outputs on the defined cadence
• Configuration baseline evidence per system component, with the change control record, the configuration deviation tracking, and the configuration audit results
• Vulnerability management evidence covering scan execution records, finding triage, severity calibration, remediation SLAs, exception register entries, and retest evidence per remediated finding
• Access review evidence per access-control review cycle, with the user inventory, the role mapping, the access grant rationale, the access removal records, and the privileged-account inventory
• Incident response evidence covering the IR plan, the tabletop exercise records, the actual incident records, the lessons-learned outputs, and the IR plan revision history
• Contingency planning evidence covering the contingency plan, the contingency test records, the alternate site evidence, and the backup execution record
• Risk assessment artefacts per the Prepare and Categorise steps, with the threat sources, the threat events, the vulnerabilities, the likelihood, the impact, and the resulting risk determinations
• Training and awareness evidence per the PO-aligned role definitions, with the training delivery record, the per-individual completion record, and the per-role training requirement

How RMF reads across security functions

RMF is a cross-functional framework. The same operating record reads differently depending on the function that holds the work. Programmes that run RMF as a GRC exercise alone lose the engineering depth the framework expects; programmes that run it as an engineering exercise alone lose the governance depth. The named functions below own different parts of the same artefact set.

Running RMF on SecPortal

SecPortal is built around the operating record an RMF programme reads against: the engagement is the per-system authorisation cycle, the findings record carries the assessment and the POA&M, the documents area carries the SSP, the SAR, and the ADD, and the activity log carries the audit trail every named control reads against. The platform alignment below maps the verified product capabilities to the RMF steps and artefacts so the framework is held on one operating record rather than reconstructed at AO sign-off.

• Engagement management as the workspace anchor for the RMF programme, with the per-system authorisation cycle, the assessment scope, the AO sign-off, and the reauthorisation cadence tracked as engagements that produce the artefact set as a side effect rather than as a parallel project
• Findings management with CVSS 3.1 calibration so the Step 5 assessment findings, the POA&M entries, and the continuous monitoring vulnerabilities all read the same severity vocabulary and the remediation SLA is enforceable
• Compliance tracking across NIST SP 800-53, NIST CSF 2.0, NIST SSDF, FedRAMP, CMMC, ISO 27001, SOC 2, PCI DSS, and the additional framework catalogues, so the RMF control selection (Step 3) reads against the same record the parallel framework reads consume
• Code scanning via Semgrep against connected repositories so the SA-11 developer security testing evidence and the SI-2 flaw remediation evidence accumulate as scan execution records archived per system
• Authenticated scanning and domain scanning so the RA-5 vulnerability monitoring control, the SI-4 information system monitoring control, and the SC-7 boundary protection assessment all have the scan-side evidence on the operating record
• Document management for the SSP, the SAR, the POA&M, the ADD, the continuous monitoring records, the configuration baselines, the contingency plan, and the IR plan, so the authorisation package lives on the record rather than across a folder hierarchy that drifts from the operating reality
• Activity log with CSV export so every state change to a finding, an engagement, a document, a user role, or a credential is reproducible from one source, which is the audit trail AU-2, AU-3, AU-6, and AU-12 controls read against
• Repository connections via GitHub, GitLab, and Bitbucket OAuth so the SA-15 development process control, the CM-3 configuration change control, and the SA-11 developer security testing evidence read against the same source-control state
• Multi-factor authentication for workspace access so the IA-2 identification and authentication control reads against the operating posture rather than against a policy statement
• Team management with RBAC so the AC-2 account management, the AC-6 least privilege, and the PS-2 position risk designation controls have the per-role evidence the assessment expects
• AI report generation that turns the engagement record into the AO-readable authorisation package narrative, the continuous monitoring summary, and the reauthorisation read the leadership consumes alongside the underlying artefacts
• Retesting workflows paired to the original finding, so the POA&M remediation evidence carries the verify-after-fix record the assessor reads against

Related reading on SecPortal

• NIST SP 800-53 control catalogue is the control set RMF Step 3 selects from and Step 5 assesses against.
• NIST SP 800-171 derives from 800-53 and applies to non-federal systems handling Controlled Unclassified Information.
• NIST CSF 2.0 is the outcomes-oriented framework that pairs with RMF for cross-organisation risk communication.
• FedRAMP operates RMF for cloud service providers serving the federal government.
• CMMC is the Department of Defense certification that reads against 800-171 and aligns with the RMF discipline.
• NIST AI Risk Management Framework (AI RMF 1.0) is the AI-specific framework that complements RMF for AI-component systems.
• NIST SSDF (SP 800-218) is the secure software development practice catalogue that aligns with the System and Services Acquisition control family in 800-53.
• NIST SP 800-161 Revision 1 is the supply chain risk management framework that integrates with RMF through the SR control family.
• Control mapping and cross-framework crosswalks is the workflow programmes run to reconcile the 800-53 controls behind RMF with the parallel framework reads.
• Audit fieldwork evidence request fulfillment is the workflow assessors read against during the Step 5 assessment work.
• Security compliance automation covers the cross-framework patterns RMF programmes use to avoid rebuilding evidence per audit.
• Cybersecurity risk assessment covers the risk assessment work that feeds the Prepare and Categorise steps.