Compliance Glossary

NIST Risk Management Framework (RMF) is a seven-step repeatable process to manage and mitigate risks related to information systems. Developed by the National Institute of Standards and Technology (NIST), the framework was originally developed for federal agencies but has since been adopted by various industries to achieve compliance and manage cybersecurity risks.

The framework integrates security, privacy and cybersecurity supply chain risks into system development lifecycle to enable organizations to take a risk-based approach throughout the control implementation process.

The seven key steps in the NIST RMF include:

• Prepare aims to enable the organizations to understand their risk profiles and prepare for security risks by assessing data, networks and other infrastructure
• Categorize focuses on sensitivity of information processes and grouping systems accordingly to understand the impact of potential risks
• Select aims to choose the right security measures to mitigate the identified risks
• Implement ensures that the chosen controls are implemented and documented
• Assess evaluates if the implemented controls are functioning as intended to protect the information systems
• Authorize aims to promote accountability and ensures that the senior management oversees the implementation and assessment of controls to minimize risks
• Monitor involves continuous oversight of the risk environment and updating the controls as required