DigiTrust Asia
← Back to blog

The NIST RMF Seven Steps: A Practical Walkthrough

April 14, 2026 · 4 views

The NIST Risk Management Framework (SP 800-37 Rev. 2) gives you a concrete, repeatable lifecycle for securing and authorising an information system. It is heavily referenced in US federal and contractor environments and appears across CISSP and risk certifications. Here is what each of the seven steps actually involves.

1. Prepare

Added in Revision 2, Prepare establishes context at both the organisation and system level before any categorisation happens: roles, risk tolerance, a risk-management strategy, and an inventory of what you are protecting. It is the step that makes the rest efficient — skip it and you categorise and control in a vacuum.

2. Categorize

Determine the system's impact level using FIPS 199, rating the potential impact of a loss of confidentiality, integrity and availability as low, moderate or high. A key rule is the high-water mark: the system's overall categorisation is the highest of the three ratings. This categorisation drives every control decision that follows.

3. Select

Choose a baseline set of controls from SP 800-53 appropriate to the impact level, then tailor it — adding, removing or adjusting controls to fit the system's actual risk, documenting every deviation. Selection follows from the categorisation, not from what is technically interesting to deploy.

4. Implement

Deploy the selected controls and document how each is implemented. The documentation matters as much as the deployment, because the next step tests against it.

5. Assess

An assessor tests whether the controls are implemented correctly, operating as intended, and producing the desired outcome. The output is a security assessment report identifying any weaknesses, which feed a plan of action and milestones (POA&M) for remediation.

6. Authorize

This is the decision step. A senior official — the authorising official — reviews the residual risk and makes an explicit, accountable decision to accept it, granting an Authorization to Operate (ATO). This is where risk acceptance becomes formal and named: the system does not go live until an accountable person signs for the residual risk. It is the clearest embodiment of a principle every risk framework shares — acceptance must be a conscious decision by someone with the authority to make it.

7. Monitor

Authorisation is not the finish line. Continuous monitoring tracks control effectiveness, configuration changes, new vulnerabilities, and the evolving threat environment, feeding back into the earlier steps. A significant change can send a system back through categorisation or assessment and toward re-authorisation. RMF is a loop, not a line.

How to remember it

The seven steps run Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor. Hold onto two anchors: Categorize uses the high-water mark, and Authorize is where the accountable ATO decision lives. If you map these onto the ISO 31000 process — context, assessment, treatment, monitoring — you will see RMF is one disciplined, security-specific implementation of the same universal risk cycle.