July 24, 2024: NIST releases SP 1314, NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide, designed to introduce the RMF to small, under-resourced entities.
April 10, 2024: NIST releases introductory courses for SP 800-53, SP 800-53A, and SP 800-53B. Each 45-60 minute course provides a high-level overview of the SP 800-53 controls, SP 800-53A assessment procedures, and SP 800-53B control baselines.
January 31, 2024: NIST seeks to update and improve the guidance in SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on its current use, proposed updates in the Revision 2 initial working draft and information types taxonomy, and opportunities for ongoing improvement to SP 800-60. The public is invited to provide input by March 18, 2024.
November 7, 2023: NIST issues SP 800-53 Release 5.1.1 in the Cybersecurity and Privacy Reference Tool (CPRT). The corresponding assessment procedures in SP 800-53A have also been updated , and the SP 800-53A assessment procedures and SP 800-53B control baselines are also now available in the CPRT. For more information, see: CSRC News Article and the SP 800-53 Release 5.1.1 FAQ (updated). A detailed listing of the changes is also available for SP 800-53 and SP 800-53A.
Thank you to those who submitted comments using the NIST SP 800-53 Public Comment Website.
The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
This site provides an overview, explains each RMF step, and offers resources to support implementation, such as updated Quick Start Guides, and the RMF Publication.
Prepare | Essential activities to prepare the organization to manage security and privacy risks |
Categorize | Categorize the system and information processed, stored, and transmitted based on an impact analysis |
Select | Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s) |
Implement | Implement the controls and document how controls are deployed |
Assess | Assess to determine if the controls are in place, operating as intended, and producing the desired results |
Authorize | Senior official makes a risk-based decision to authorize the system (to operate) |
Monitor | Continuously monitor control implementation and risks to the system |