NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Risk Management Framework

The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of organizational risk---that is, the risk to the organization or to individuals associated with the operation of an information system. The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system---the security controls necessary to protect individuals and the operations and assets of the organization.

Risk-Based Approach

The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the NIST Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:

Step 1: Categorize

Categorize the information system and the information resident within that system based on impact. FIPS 199 and NIST SP 800-60 Revision 1 (Volume 1, Volume 2)

Step 2: Select

Select an initial set of security controls for the information system based on the FIPS 199 security categorization and apply tailoring guidance as appropriate, to obtain a starting point for required controls. FIPS 200 and NIST SP 800-53, Revision 2

Step 3: Supplement

Supplement the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. NIST SP 800-53, Revision 2 and SP 800-30

Step 4: Document

Document the agreed-upon set of security controls in the system security plan including the organization's justification for any refinements or adjustments to the initial set of controls. NIST SP 800-18, Revision 1

Step 5: Implement

Implement the security controls in the information system.

See appropriate NIST publication in the publications section.

Step 6: Assess

Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST SP 800-53A

Step 7: Authorize

Authorize information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable. NIST SP 800-37

Step 8: Monitor

Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis. NIST SP 800-37 and SP 800-53A

See the Risk Framework with associated security standards and guidance documents. A black and white version is also available for printing.