What Is Risk Management Framework (RMF)?

Risk Management Framework (RMF) is a six-step process that takes place of the Certification and Accreditation (C&A) process to incorporate information security and risk management activities. RMF is the security framework used for all departments in the federal government, including the Department of Defense (DOD) and the Intelligence Community (IC).

The Risk Management Framework is created by specifying and implementing information system security controls within an organization. The RMF protocol was developed by the National Institute of Standards and Technology (NIST) to help organizations adequately secure their systems and mitigate their risk. This protocol helps target risk factors in part by ensuring that an organization maintains the correct compliance with the regulatory bodies that apply to their particular industry. Creating a framework provides organizations with clear initiatives and the implementation of processes that keep business assets, such as information systems and the individuals who work with them, adequately protected. The RMF is an important part of a great many organizations that rely on secure information systems, as it can help identify weaknesses in security before those weaknesses place key business assets at risk.

In recent years, the need for heightened security controls and the identification and management of risk within organizations that rely on technology to protect their valuable assets has greatly increased. The concept of risk management can be considered value management as well, as entities employ risk management in order to help increase and maintain the value of a business on behalf of its stakeholders. This value is maintained through a delicate balance between the effective management of risk, and the ability to collect greater returns. In essence, risk management tempers an organization’s appetite for growth by managing risk responsibly, reducing costly losses, and supporting a reliable level of business performance.


The security controls included in the RMF typically span the breadth of the organization, not simply one or two components of the whole. They ensure that the organization takes a comprehensive, structured, and staunch approach to the applied management of risk. This includes risk to both the organization itself, as well as the employees responsible for working with the selected information system.

To be successful, the risk management framework must adequately addresses the following topics:

  • The framework ensures that the organization’s tolerance for risk is in alignment with the strategy for implementing and enforcing security controls. A delicate and well-managed balance is obtained that supports business growth without exposing the organization to unnecessary, and potentially costly, risk factors.
  • The framework anticipates events and is positioned to allow an organization to be proactive in its effort to address risk events. In essence, the framework should limit the surprises that the organization encounters.
  • The framework takes a multi-pronged approach to risk responses, allowing for an appropriate selection among multiple viable options. This keeps the framework structured and well-understood while also allowing for flexibility based on each particular event encountered.
  • The framework is comprehensive and encompasses not just risks within the entire cohesive enterprise, but risks between itself and outside organizations as well. This provides both the organization and those with which it bears a professional working relationship the ability to properly assess potential risk factors.
  • The framework reduces unforeseen security risks and resultant losses that could devalue the business and its associated assets. Surprises do happen, but a comprehensive and well-maintained RFM can aid an organization by limiting, reducing, and addressing these detrimental and unforeseen events.


The RMF is built by completing many steps that help provide a disciplined framework from which to manage information security and reduce risk factors. The RMF consists of both foundational components and organizational components. Foundational components included overall objectives, policies, and the organization’s drive and pledge to apply the RMF. Organizational components include the actual plan and process, the resources included, the individuals accountable for applying and adhering to the RMF, and any other operational realities.

Implementing the RMF in an organization includes performing the following tasks:

  1. Categorize: Categorizing the organization’s information system and outlining what information is stored, how it processed, and how it is transmitted along with who is responsible for each component of the overall RFM protocol.
  2. Select: Creating a baseline for security controls that govern the information system. This includes any customizations based on the particular system addressed, the organization’s unique risk tolerance, and any environmental factors that may affect security.
  3. Implement: Implementing the controls outlined and documenting how those controls have been applied.
  4. Assess: Determining whether the controls implemented are adequate and functioning as intended. The outcome must also be evaluated to determine whether it is both measurable and acceptable.
  5. Authorize: Authorizing the operation of the information system based on the determination of the risk incurred by doing so in comparison to the risk tolerance of the organization.
  6. Monitor: Monitoring security controls is an ongoing process which is outlined below.

Monitoring Risk in Perpetuity

The RFM is only as effective as its upkeep over the life of the organization. Once the RFM has been established based on foundational and organizational components, it must be monitored and revised as the organization and its environment, initiatives, and risk factors evolve. As risks are encountered and action is taken, the RFM should be referred back to consistently in order to ensure that the actions taken match the documented policy, and that those actions were successful. If those actions are deemed unsuccessful, the policy should be adjusted accordingly. The security controls encompassed in the RFM, once complete, must be routinely monitored, and a change management system should be instated to help the organization review the impact the procedure has on the security of that system, and document any adjustments.

The Risk Management Framework is an important part of maintaining an organization’s effective and comprehensive security program. And fully framing the risk management process in a structured and comprehensive manner helps organizations manage their risk process both within and between themselves and other entities. Every organization is unique in its security systems, and in turn each one faces a wide variety of possible risk factors. To be effective, the RMF should include strategic high-level goals, operational effectiveness, an agreeable balance between value and risk, solid reporting, and compliance with industry regulatory requirements. The RMF helps drive: risk management and the identification of risk factors, an understanding of an organization’s risk tolerance, routine risk monitoring, a fast and effective risk response, and a good internal change management process.