What is the Risk Management Framework (RMF)?

RMF featured

The Defense Industrial Base (DIB) supply chain is integral to the security and well-being of our country and includes everyone from government agencies to IT contractors providing software, applications and cloud services to those agencies. It seems obvious that the regulations pertaining to these companies and their products would be more stringent than others, and would include more than simple security measures. That’s where RMF plays a major role. 

In this article, we discuss RMF and how it breaks down into actionable steps. Furthermore, we will discuss the importance of risk management for DoD contractors and why you should work with experts in managing your own risk. 

What is RMF?

RMFThe NIST Risk Management Framework is a process integrating critical security, risk management and privacy controls into your IT systems. Developed by the Department of Defense and maintained by NIST, RMF is a foundational body of regulations that emphasizes risk management and assessment as a necessary practice for DoD agencies and contractors in the DoD supply chain. 

NIST Special Publication 800-37 defines the particulars of RMF, specifically outlining a 6-step process for organizations maintaining critical information systems as part of their work with the DoD. The latest revision of this publication (Rev. 1) has expanded that process to 7 steps. 

The 7 steps of the RMF process are:

  1. Prepare: To undergo whatever necessary essential activities will help your organization manage security, privacy and risk.
  2. Categorize: Identify and label potential organization risks based on their potential impact on your operations and stakeholders, including the loss of data confidentiality and system availability. 
  3. Select: Literally, to select, configure and document security and privacy controls based on insights and determinations from the previous step. 
  4. Implement: Implement the controls, and any associated plans for those controls, Selected for the system. 
  5. Assess: Make determinations as to the correctness, operations and effectiveness of the implemented security controls. 
  6. Authorize: Make and document assessments of the potential security and privacy risks associated with the implemented controls, and determine if those risks are acceptable based on compliance and security needs. 
  7. Monitor: Continuously monitor implemented controls for changes in effectiveness or vulnerability. 

These steps operationalize the general concept of risk management by expecting that agencies and contractors under the DoD umbrella undergo standardized self-assessment and security management procedures regularly. RMF audits are typically every year, and there is an expectation that organizations are continuously monitoring their systems and assessing and justifying their risk. 


Why Is Risk Assessment So Important in Modern Cybersecurity?

It’s important to note that RMF is a risk management framework. While it covers controls and practices related to cybersecurity, its true purpose is to ensure that businesses like yours are managing risk alongside implementing cybersecurity technologies. 

The difference between cybersecurity and risk management is important. Just because you might check the boxes off on a compliance list, or implement the latest cybersecurity controls, doesn’t mean that you are managing risk. “Risk” means exactly what it says: it asks the question of the potential threats, vulnerabilities and exposures the information in your system faces based on different controls, practices and configurations. Risk can encompass several different types of threats, from concrete threats to confidential data to loss of reputation or standing for the government or your company. Importantly, risk can never be eliminated. Instead, risk management helps organizations determine and articulate the balance between a cybersecurity posture and potential security threats. 

RMF, therefore, demands that any contractor working with the DoD supply chain will have a standing process for understanding, documenting and justifying the potential for risk based on decisions made regarding cybersecurity. 

There are several practices and components that you can implement to ensure that you are operating within the steps outlined above:

  1. Risk Identification: The basis for assessment, identification is the process of identifying threats, vulnerabilities and security gaps and determining the likelihood of their impacting your organization. 
  2. Risk Governance: Formal, documented and organization-wide documentation of your organization’s risk governance plans, including acceptable risk, regulatory compliance and remediation strategies. 
  3. Risk Measurement: How you rank and categorize potential threats based on likelihood, severity, industry-specific issues, and other factors. 
  4. Documentation and Reporting: RMF calls for continuous monitoring, and as such your risk management will include continuous documentation, audits and reporting of how you are assessing risk. This is especially true in cases where you upgrade systems or as new threats emerge. 
  5. Mitigation: This includes the remediation of vulnerabilities and minimization of potential risk through new security controls and practices. 


How Do You Implement RMF for Your Business?

The best way to prepare for, and adopt, the RMF framework is to follow the seven steps listed above. More specifically, this includes practices like:

  • Hiring and maintaining a Risk Management Officer. Even if your risk assessment strategy is a single person (which, depending on your line of work, it probably shouldn’t be), having someone on board who understands the demands of RMF and risk management more broadly is invaluable. Likewise, if you work with outside security or risk management agencies, this person can serve as a dedicated point-person for that work. 
  • Formalize your company’s posture on the balance of business growth and security risk. In some cases, security controls are what they are, and you must implement them. More often than not, however, you’ll have to make decisions about what controls and systems to adopt, what not to implement and how the difference can help or hinder both the growth of your business and your vulnerability. 
  • Take the “Prepare” step seriously. Prepare, as a step in the RMF process, was added during Rev. 1 to help streamline the process and support agencies and contractors who wanted to successfully meet RMF requirements. More importantly, it is a step that will ask you to adopt some of the risk management components outlined in the previous section before attempting RMF compliance. 
  • Work with skilled auditors and experts. Adhering to RMF, and even simply implementing good risk management practices, doesn’t have to fall on your shoulders alone. Working with security and risk experts can help you with the preparation of your systems and the continued monitoring of your risk posture. 


Risk management is a practice that any IT company working with sensitive data should undertake. With RMF and DoD contracting, however, risk management is a necessary part of your everyday business. 

Are you preparing for your RMF audits, or are you just interested in expanding your risk management capabilities?  If your organization is interested in proactive cybersecurity and compliance, call 1-888-896-7580 to discuss your organization’s compliance needs.


Lazarus Alliance