Risk Management Framework

[13] Title III of FISMA 2002 tasked NIST with developing information security and risk management standards, guidelines, and requirements.

[6][7][8][9] The RMF, outlined in NIST Special Publication 800-37 and first published in February 2010, is designed to help organizations manage cybersecurity risks and comply with various U.S. laws and regulations, including the Federal Information Security Modernization Act of 2014, the Privacy Act of 1974, and Federal Information Processing Standards, among others.

[1] In December 2019, revision 2 of the NIST Special Publication 800-37 was published, introducing a Prepare step to the overall process.

Throughout its lifecycle, an information system will face various types of risk that can impact its security posture.

Information asset risks concern the potential loss or unauthorized disclosure of data.