The Risk Management Framework (RMF) is a seven-step process defined by NIST Special Publication 800-37 and mandated by the Department of Defense and federal civilian agencies for managing cybersecurity risk to information systems. Every federal and DoD information system must complete the RMF process before it can receive an Authorization to Operate (ATO). Here is a breakdown of each step.
Step 1: Prepare
The Prepare step was added in NIST SP 800-37 Revision 2 to establish the organizational and system-level context needed to manage security and privacy risk. At the organizational level, this means identifying the mission and business functions the system supports, defining risk tolerance, and assigning roles such as the Authorizing Official (AO), System Owner, Information System Security Officer (ISSO), and Information System Security Manager (ISSM). At the system level, it means identifying the system boundary, stakeholders, and any existing security or privacy requirements.
Step 2: Categorize
The Categorize step establishes the system's security category based on the potential impact — Low, Moderate, or High — if confidentiality, integrity, or availability were compromised. Categorization follows FIPS 199 and NIST SP 800-60 and drives every subsequent decision about which security controls to select. A system handling classified or sensitive DoD data will typically be categorized as Moderate or High, which significantly expands the control baseline required.
Step 3: Select
Based on the security category established in Step 2, the organization selects an appropriate set of security controls from NIST SP 800-53. The starting point is a baseline (Low, Moderate, or High) which is then tailored to the specific system environment — adding controls where needed and, where justified, scoping out controls that don't apply. For DoD systems, this process also incorporates DoDI 8510.01 overlays and any Command-specific requirements. The output is the System Security Plan (SSP), which documents the selected controls and planned implementation.
Step 4: Implement
The Implement step is where the security controls selected in Step 3 are actually put in place. This includes technical configurations (firewall rules, encryption settings, audit logging), procedural controls (policies, training, incident response procedures), and physical security measures as applicable. Implementation details are documented in the System Security Plan and supporting artifacts. For DoD systems, this step often involves applying Security Technical Implementation Guides (STIGs) to harden operating systems, applications, and network devices.
Step 5: Assess
During the Assess step, an independent assessor — the Security Control Assessor (SCA) — evaluates whether the implemented controls are in place, operating as intended, and producing the desired security outcomes. Assessment methods include interviews, examination of documentation, and testing. The results are captured in the Security Assessment Report (SAR). For DoD programs, this step may also involve a formal review by a Defense Security Accreditation Working Group (DSAWG) or Component Authorization office depending on the program's classification and sensitivity.
Step 6: Authorize
The Authorize step is where the Authorizing Official (AO) reviews the full authorization package — the SSP, SAR, and Plan of Action and Milestones (POA&M) — and makes a risk-based decision. The AO may grant an Authorization to Operate (ATO), a Denial of Authorization to Operate (DATO), or an Interim Authorization to Operate (IATO). An ATO typically has a maximum three-year term, after which the authorization must be renewed. The AO accepts the residual risk of operating the system on behalf of the organization.
Step 7: Monitor
The Monitor step — also called Information Security Continuous Monitoring (ISCM) — is the ongoing phase of the RMF lifecycle. Once an ATO is granted, the organization must continuously monitor the security posture of the system, track changes that could affect the authorization, conduct ongoing assessments of selected controls, and report the security status to the AO. Significant changes to the system may trigger a partial or full reassessment. The goal of continuous monitoring is to maintain awareness of the system's security posture and ensure the ATO remains valid through the life of the system.
The RMF as a Lifecycle
It is important to understand that RMF is not a linear checklist — it is a continuous lifecycle. After Step 7, significant changes cycle back to earlier steps. A system upgrade may require re-categorization. New threats may prompt control reselection. The framework is designed to keep security posture current over the operational life of the system, not just at the moment of initial authorization.
IT Dojo offers a comprehensive suite of RMF training courses covering every step of this process — from system categorization through eMASS documentation, STIG implementation, security control assessment, and continuous monitoring. All courses are available as live instructor-led training via remote online or on-site at your facility. Learn more about IT Dojo's RMF training.