The steps in the Risk Management Framework Following NIST Publications are below:
Prerequisites:
NIST.SP.800.18r1 -
NIST.SP.800.30 – Guide for Conducting Risk Assessments
NIST.SP.800.39 – Managing Information Security Risk (Organization, Mission, and information System View)
Step 1 Categorize Information Systems
FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems
NIST.SP.800.60
Volume I – Guide for Mapping Types of Information and Information Systems to Security Categories
Volume II -
Step 2 Select Security Controls
FIPS 200 – Minimum Security Requirements for Federal Information and Information System
NIST.SP.800.53 r4 -
Step 3 Implement Security Controls
NIST.SP.800.160 – Systems Security Engineering (Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems)
Step 4 Assess Security Controls
NIST.SP.800.53A r4 – Assessing Security and Privacy Controls in Federal Information Systems and Organizations * Building Effective Assessment Plans
Step 5 Authorize Information Systems
NIST.SP.800.37 – Guide for Applying the Risk Management Framework to Federal Information Systems (A Security Life Cycle Approach)
Step 6 Monitor Security Controls
NIST.SP.800.137 – Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
NIST.SP.800.53A r4 -
National Vulnerability Database
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
National Institute of Standards and Technology
February 12, 2014
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
Cloud Computing Security and Privacy
NIST.SP.800.144 -
NIST.SP.800.145 -
NIST.SP.800.146 -
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST.SP.800-
Use With: NIST Special Publication 800-
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations