NIST Risk Management Framework

A risk-based approach to cybersecurity

General Information/Narrative

RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and adopts the term cybersecurity in place of information assurance.

The RMF process is applicable to all IS and PIT systems, as well as DoD partnered systems where it has been agreed that DoD standards will be followed. IT below the system level (e.g., products, IT services) will not be subjected to the full RMF process. However, IT below the system level must be securely configured (in accordance with applicable DoD policies and security controls), documented in the authorization package and reviewed by the responsible Information System Security Manager (under the direction of the Authorizing Official) for acceptance or connection into an authorized computing environment.

The RMF process consists of six steps: Categorize System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize System, and Monitor Security Controls. This process parallels the system life cycle, with the RMF activities being initiated at program or system inception (e.g., documented during capabilities identification or at the implementation of a major system modification).

The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management. Tier 1 is the strategic level, and it addresses risk management at the DoD enterprise level. At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT. The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).Tier 2 is the Mission / Business Processes level. At this level, the Component CIO is responsible for administration of the RMF within the DoD Component cybersecurity program. Tier 3 is the IS andPIT Systems level. Here, the DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.

Defense Acquisition Guidebook, Policies, Directives, Regulations, Laws

  • DoDI 8500.01 “Cybersecurity"
  • DoDI 8510.01 “Risk Management Framework for DoD Information Technology”
  • NIST SP 800-37, Rev 1 "Guide for Applying the RMF to Federal Information Systems"
  • NIST SP 800-39 "Managing Information Security Risk"
  • NIST SP 800-53, Rev 4 "Security and Privacy Controls for Federal Information Systems and Organizations"
  • NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories"
  • CNSSI 1253 "Security Categorization and Control Selection for National Security Systems"
  • CNSSI 4009 "Committee on National Security Systems Glossary"

Your Instructor


InfoSec4TC is a distinguished cybersecurity training and consulting company, specializing in delivering comprehensive educational programs to empower individuals and organizations in safeguarding their digital assets. Established by a proficient team of cybersecurity experts, InfoSec4TC is committed to offering affordable, accessible, and practical training in the fast-paced, ever-changing realm of cybersecurity. As authorized partners of CompTIA, Amazon AWS, Mile2, and Microsoft, InfoSec4TC is uniquely positioned to provide industry-leading training courses and certifications that align with the latest developments and best practices in the field.

Frequently Asked Questions

When does the course start and finish?
The course starts now and never ends! It is a completely self-paced online course - you decide when you start and when you finish.
How long do I have access to the course?
How does lifetime access sound? After enrolling, you have unlimited access to this course for as long as you like - across any and all devices you own.
What if I am unhappy with the course?
We would never want you to be unhappy! If you are unsatisfied with your purchase, contact us in the first 30 days and we will give you a full refund.

Get started now!