What is the NIST Risk Management Framework?

The NIST Risk Management Framework, defined in Special Publication 800-37, provides a structured process for managing security risk across an organization. Its seven steps are prepare by establishing context and priorities, categorize information systems by impact level, select appropriate security controls, implement the selected controls, assess whether controls are effective, authorize the system to operate based on residual risk, and monitor controls on an ongoing basis. The RMF is mandatory for US federal agencies and widely adopted in the private sector.