9 min read

A Dive into Understanding RMF for FISMA Compliance and Federal IT Systems

I wanted to tackle RMF or the Risk Management Framework and how it applies to FISMA Compliance and Federal IT Systems.

For the last 3 years, I’ve been working in the realm of FISMA and FedRAMP compliance for an industry-leading 3PAO (third-party assessment organization). This is a part of cybersecurity that falls under the Governance, Risk, and Compliance areas also known as GRC. From my experience, these areas of cybersecurity get less attention and voice than their “sexier” counterparts such as Penetration Testing/Red Teaming and Security Engineering but I earnestly believe more individuals should consider this path when contemplating a cybersecurity career. I will add more to this discussion in other articles but for this one, I wanted to tackle RMF or the Risk Management Framework and how it applies to FISMA Compliance and Federal IT Systems.

What is the Risk Management Framework (RMF)?

The Risk Management Framework (RMF) is a set of guidelines and standards developed by the National Institute of Standards and Technology (NIST) to help organizations manage risk associated with information technology (IT) systems. The document is called the NIST Special Publication (SP) 800–37.

While it was developed for federal agencies to manage information security risk and comply with the Federal Information Security Modernization Act (FISMA), the framework has also been adopted by other organizations outside the federal government including state and local government agencies, private sector companies, and educational institutions. These organizations have adapted the RMF to their specific needs and requirements, such as aligning with industry-specific standards and regulations.

Source: https://www.linkedin.com/posts/aronlange_nist-rmf-activity-6977867944248627200-j3wc


The Federal Information Security Modernization Act (FISMA) was created to improve information security in federal government agencies. FISMA was enacted by the United States Congress in 2002 as part of the E-Government Act.

The primary goal of FISMA is to protect government information, operations, and assets against threats, vulnerabilities, and other risks that could lead to unauthorized access, use, disclosure, disruption, modification, or destruction.

The goal of many frameworks and standards is a systematic way of protecting information and people.

FISMA also requires federal agencies to develop, document, and implement information security programs that are based on risk management principles and comply with standards and guidelines established by the National Institute of Standards and Technology (NIST). Guidance for how organizations develop the famous SSP (System Security Plan) can be found in the NIST SP 800–18 Guide for Developing Security Plans for Federal Information Systems.

There is literally a NIST SP 800-something for everything you would need.

More on FISMA:

The Process

The RMF consists of six steps:

  1. Categorize
  2. Select
  3. Implement
  4. Assess
  5. Authorize
  6. Monitor

Each step involves a series of activities that are designed to ensure the security and effectiveness of IT systems. Let’s take a closer look at each of these steps:

Step 1: Categorize

The first step in the RMF is to categorize the IT system.

This involves determining the system’s impact level, which is based on the system’s potential to cause harm if it is compromised.

This step is critical because it helps organizations determine the level of security required for the system.

In my personal experience, most systems end up being moderate and as a security assessor, I would say that over 80% of the systems I have assessed have been moderate.

How do you decide if the system is low, moderate or high?

The Federal Information Processing Standard (FIPS) 199 and 200 documents say that you are supposed to take a system and assign it a security categorization level. In plain terms, FIPS 199 provides guidance on how to categorize information and information systems based on their level of sensitivity and potential impact, while FIPS 200 provides minimum security requirements that federal agencies must follow to protect their information and information systems from security risks.

The NIST Special Publication 800–60, Volume 2, “Guide for Mapping Types of Information and Information Systems to Security Categories” is the other document to use for categorizing a system. This guide provides a framework for categorizing information and information systems according to the potential impact that a loss of confidentiality, integrity, or availability would have on an organization’s operations, assets, or individuals. It also includes a set of criteria for each security category that can be used to determine the appropriate set of security controls for the system.

No matter the industry or field the system is in you should be able to find the specifics for that data type. Say, for example, our system was a health-based system. We would check the index of health information types in the SP 800–60.

Let’s say we are a Health Care Research and Practitioner Education Information Type:

The system then gets categorized by the highest level of all the brackets. So for this example, even though the information type is “low” for confidentiality and availability, it is “moderate” for integrity. Therefore, the overall security category for the system would be moderate.

Step 2: Select

The second step in the RMF is to select security controls.

This involves selecting the appropriate security controls based on the system’s impact level. There are several security control families to choose from, including but not limited to:

  • Access control (AC)
  • Audit and accountability (AU)
  • Configuration management (CM)
  • Contingency planning (CP)
  • Identification and authentication (IA)
  • Incident response (IR)
  • Maintenance (MA)
  • Media protection (MP)
  • Physical and environmental protection (PE)
  • Planning (PL)
  • Personnel security (PS)
  • Risk assessment (RA)
  • System and services acquisition (SA)
  • System and communications protection (SC)
  • System and information integrity (SI)

Your dictionary so-to-speak for all of these controls and more is the NIST SP 800–53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations. As of writing this, there are many federal systems still working and being assessed under Rev 4.

In order to select the controls that we must implement we can simply reference the NIST SP 800–53b which provides baselines for low, moderate, and high categorized systems. In the previous step, we categorized our health information system as moderate so we will continue with that example.

We can use the Risk Assessment (RA) family of controls as an example and this process can be conducted for every control family needed. We would want to ensure that all of the controls checked off in the MOD section were accounted for in the System Security Plan (SSP) with an implementation statement (but also actually implemented!)

NIST provides some resources including this baseline spreadsheet that you could filter relatively easily for moderate controls and use as a template for your system.

Step 3: Implement

The third step in the RMF is to implement security controls and this is the lion’s share of the work. The previous steps could be done in a week, day, or even an hour. Implementing controls and planning for their implementation will take some time. This involves putting the selected security controls into place and ensuring that they are working as intended. This step is critical because it helps organizations ensure that their IT systems are actually secure and effective.

Use NIST SP 800–18 to make your System Security Plan (SSP). This is sort of like the “bible” document for the system in question and it should be consistent with other procedures, policies, and system user processes.

There are quite a few ways out there to cut this but SSPs are usually very long documents!

Your SSP should include not only implementation details for your controls that were selected based on the categorization but other information about the system like its owners, the purpose of the system, and even diagrams of the system boundary (including any interconnections).

Step 4: Assess

The fourth step in the RMF is to assess the security controls.

This is where I have actually spent the bulk of my time as the external assessor but I will dive into job roles a little later.

This involves testing the security controls to ensure that they are working as intended and are effective. The organization should have an independent auditor assess the implemented controls to ensure they are sufficient and effective. If you are not seeking FISMA compliance, you may choose to assess the controls yourself, but you should be aware of potential bias.

In the case of an independent auditor, your system would expect to receive a Security Assessment Report (SAR) from the auditor/assessor detailing the findings of the assessment. Typically, all the controls are not assessed at once but rather 1/3 of the controls are assessed on an ongoing annual basis.

Time-wise this step of the process could take several weeks to several months depending on the size of the system and the scope of controls for the assessment.

Step 5: Authorize

The fifth step in the RMF is to authorize the IT system.

The system would obtain authorization from a designated individual (authorizing official) who will review the audit results, SSP, and any residual risk. They will then make a decision on whether the system is authorized to operate. This step is critical because it helps organizations ensure that their IT systems are secure and effective.

Part of this process of ATO might include an additional risk assessment based on the findings of the external auditor/assessor. The organization can leverage https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final Findings that can’t be quickly fixed or remediated from the assessment have probably been put into a Plan of Action & Milestone (POAM) report.

Continuing with our health system example, say we have PHI (Private Health Information) in a database but the data isn’t encrypted at rest. The risk is that someone breaches the database. That could be a high impact on the system and its user's health information. But possibly after looking at the access control, audit controls, and other security controls protecting that data the organization might deem it a low likelihood of happening. This is just an example of what could take place and this part could get very nuances based on the type of information system and many other variables in place.

Step 6: Monitor

The sixth and final step in the RMF is to monitor the IT system.

This involves ongoing monitoring of the system to ensure that it remains secure and effective. This step is critical because it helps organizations identify and address any security issues that may arise.

I feel it is probably the most important because of the current terrain of cybersecurity, systems cannot afford to wait for an assessment which is ultimately only a snapshot in time anyways.


In conclusion, the RMF is an essential framework for managing risk associated with IT systems. By following the six steps outlined in the RMF, organizations can ensure that their IT systems are secure, effective, and in compliance with FISMA requirements. It is important to note that the RMF is not a one-time process but a continuous cycle of assessment and improvement to keep up with evolving threats and changes in technology. In the next article, I will detail more specifically the assessment process conducted by external third-party assessment organizations.

Referenced Docs:

  1. NIST SP 800–37: Guide for Applying the Risk Management Framework to Federal Information Systems — This publication provides a comprehensive approach to managing risks for federal information systems.
  2. NIST SP 800–18: Guide for Developing Security Plans for Federal Information Systems — This guide outlines the process for creating security plans to protect federal information systems.
  3. NIST SP 800–60 (Volume I & II): Guide for Mapping Types of Information and Information Systems to Security Categories — These publications help organizations categorize their information systems based on the types of information they process.
  4. NIST SP 800–53: Security and Privacy Controls for Federal Information Systems and Organizations — This comprehensive guide offers a detailed list of security and privacy controls for federal information systems.
  5. NIST SP 800–53B: Control Baselines for Information Systems and Organizations — This publication provides baseline security controls for various types of information systems and organizations.
  6. FIPS 199: Standards for Security Categorization of Federal Information and Information Systems — This standard defines the security categorization levels (Low, Moderate, and High) for federal information systems based on the potential impact of a security breach.
  7. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems — This standard specifies the minimum security requirements for federal information systems and provides a foundation for selecting appropriate security controls.
  8. NIST SP 800–30: Guide for Conducting Risk Assessments — This guide provides a comprehensive methodology for conducting risk assessments, helping organizations identify, estimate, and prioritize risks to their information systems and processes.