Step 1: Prepare

Establish the context and priorities for managing security and privacy risk

Key Activities

Establish organizational context
Identify system boundaries
Define risk management roles
Establish risk management strategy
Determine risk tolerance

Outputs

Organizational risk management strategy
System boundary definition
Risk management roles and responsibilities
Risk tolerance statements

Step 2: Categorize

Categorize the system and the information processed, stored, and transmitted

Key Activities

Identify information types
Determine impact levels
Assign security categorization
Document categorization results

Impact Levels

Low Impact

Limited adverse effects on organizational operations, assets, or individuals

Moderate Impact

Serious adverse effects on organizational operations, assets, or individuals

High Impact

Severe or catastrophic adverse effects on organizational operations, assets, or individuals

Step 3: Select

Select the set of NIST SP 800-53 controls to protect the system

Key Activities

Select baseline controls
Apply tailoring guidance
Supplement with additional controls
Document control selection rationale

Control Categories

AC - Access Control

Manage system access and permissions

AU - Audit and Accountability

Track and monitor system activities

CM - Configuration Management

Manage system configurations

IA - Identification and Authentication

Verify user identities

Step 4: Implement

Implement the controls and document how they are deployed

Key Activities

Deploy control implementations
Document control implementations
Update system documentation
Train personnel on controls

Implementation Considerations

Technical implementation details
Operational procedures
Personnel training requirements
Documentation updates

Step 5: Assess

Determine if the controls are implemented correctly and operating as intended

Key Activities

Develop assessment plan
Select assessment methods
Conduct control assessments
Document assessment results

Assessment Methods

Examine

Review documentation, logs, and configurations

Interview

Discuss with personnel and stakeholders

Test

Execute procedures and observe results

Step 6: Authorize

Provide senior official with the information needed to make risk-based decisions

Key Activities

Prepare authorization package
Conduct risk determination
Make authorization decision
Document authorization results

Authorization Package

System security plan
Assessment results
Plan of action and milestones
Authorization decision document

Step 7: Monitor

Continuously track changes to the system and its environment

Key Activities

Monitor control effectiveness
Track system changes
Conduct ongoing assessments
Update documentation

Continuous Monitoring

Configuration Management

Track system configuration changes

Security Events

Monitor for security incidents

Performance Metrics

Track system performance and availability

NIST RMF

Step 1: Prepare

Key Activities

Outputs

Step 2: Categorize

Key Activities

Impact Levels

Low Impact

Moderate Impact

High Impact

Step 3: Select

Key Activities

Control Categories

AC - Access Control

AU - Audit and Accountability

CM - Configuration Management

IA - Identification and Authentication

Step 4: Implement

Key Activities

Implementation Considerations

Step 5: Assess

Key Activities

Assessment Methods

Examine

Interview

Test

Step 6: Authorize

Key Activities

Authorization Package

Step 7: Monitor

Key Activities

Continuous Monitoring

Configuration Management

Security Events

Performance Metrics