Table of Contents
- RMF & NIST 800-53: How They Work Together
- What Is the Risk Management Framework (RMF)?
- How to Use NIST 800-53 with RMF
- How to Use the RMF with NIST 800-53
- How to Simplify RMF Implementation
-
RMF & NIST 800-53 FAQs
- What is the relationship between RMF and NIST 800-53?
- What are the 7 steps of the RMF?
- What happens during the RMF Select step?
- Is the RMF only for federal agencies?
- What is the difference between NIST 800-37 and NIST 800-53?
- How does the CA control family relate to the RMF?
- What other NIST publications support the RMF?
- Conclusion
RMF & NIST 800-53: How They Work Together
The NIST SP 800-37 Risk Management Framework (RMF) and NIST SP 800-53 Rev 5 are frameworks designed to help organizations manage information security risk. NIST SP 800-37 defines the risk management process, and NIST SP 800-53 provides the security and privacy controls for organizations to select and implement within the RMF lifecycle.
This guide explains how the RMF and NIST SP 800-53 work together in practice. It covers the RMF lifecycle, where 800-53 controls fit within each step, and how organizations can use both frameworks to build a structured risk management program.
What Is the Risk Management Framework (RMF)?
Defined in NIST SP 800-37, the Risk Management Framework (RMF) is a lifecycle for managing security and privacy risk across information systems and operations. Published by the National Institute of Standards and Technology (NIST), the RMF describes how to categorize systems, select security controls, assess control effectiveness, authorize system operation, and continuously monitor security posture.
Originally developed for federal agencies under the Federal Information Security Modernization Act (FISMA), the RMF is now widely adopted beyond the federal government. In 2026, universities, healthcare providers, defense contractors, and other organizations use it to structure their risk management programs.
The Risk Management Framework (RMF), defined in NIST 800-37, is a widely-adopted, seven-step process for managing information security and privacy risk. Within the RMF lifecycle, organizations select, implement, and monitor controls such as those defined in NIST SP 800-53.
NIST 800-37 organizes risk management into seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Organizations can follow these steps to integrate risk management into the system development lifecycle and create a repeatable structure for maintaining controls over time. The following table takes a closer look at each RMF step, its objective, and a brief description:
| NIST RMF Step | Objective | Description |
| Step 1 – Prepare | Establish readiness |
|
| Step 2 – Categorize | Understand impact |
|
| Step 3 – Select | Choose controls |
|
| Step 4 – Implement | Apply controls |
|
| Step 5 – Assess | Verify effectiveness |
|
| Step 6 – Authorize | Approve risk |
|
| Step 7 – Monitor | Maintain oversight |
|
How to Use the NIST RMF
The RMF establishes the process for managing risk, but it does not define security requirements. Instead, frameworks like NIST SP 800-53 provide the security and privacy controls that organizations can select, implement, assess, and monitor throughout the RMF lifecycle.
In fact, several NIST publications provide additional guidance for organizations to categorize systems, select controls, assess risks, and evaluate controls using NIST 800-37.
| Publication | Purpose | Relationship to RMF |
| NIST SP 800-53 | Catalog of security and privacy controls organizations select and implement to protect information systems. | Controls are selected during the Select step and implemented, assessed, and monitored throughout the RMF lifecycle. |
| FIPS 199 | Determines system categorization based on potential impact (Low, Medium, High). | Used during the Categorize step to determine a system’s impact level. |
| NIST SP 800-53A | Assessment procedures for evaluating whether security controls are implemented correctly and operating as intended. | Used during the Assess step to evaluate implemented controls. |
| NIST SP 800-53B | Pre-tailored security and privacy control baselines aligned to Low, Moderate, and High impact systems. | Provides control baselines organizations start from during the Select step. |
| NIST SP 800-30 | Risk assessment methodology to identify threats and vulnerabilities, analyze likelihood and impact, and determine overall risk. | Supports risk assessments throughout the RMF lifecycle, informing categorization, control selection, and monitoring. |
Understanding the RMF means understanding how all of these publications work together, with NIST SP 800-37 and NIST SP 800-53 at the foundation.
How to Use NIST 800-53 with RMF
NIST SP 800-53 plays an important role throughout the entire RMF lifecycle, and especially during Step 3 (Select). Here, organizations identify and select security and privacy controls based on identified risks. This is where NIST SP 800-37 and NIST 800-53 intersect most clearly.
Before reaching Step 3 of the RMF, organizations must prepare their governance approach in Step 1 (Prepare) and categorize the system in Step 2 (Categorize) using FIPS 199. After assigning a Low, Moderate, or High impact level, organizations use that categorization with risk assessment results to select a starting set of controls from NIST SP 800-53B Control Baselines.
Each control baseline provides a different starting point based on system risk:
- Low baseline: 149 controls for systems where a breach would have limited adverse effect
- Moderate baseline: 287 controls for systems where a breach would have serious adverse effect
- High baseline: 370 controls for systems where a breach would have severe or catastrophic adverse effect
Organizations then tailor this baseline by adding, removing, or adjusting controls based on risk assessment results, system environment, and organizational needs. Some organizations also apply overlays, or specialized control sets for specific environments or communities such as defense systems or cloud platforms. For example, FedRAMP baselinesbuild on the NIST 800-53 control baselines and define additional security requirements for federal cloud systems.
Often, the seven RMF steps are presented in order. But in reality, the framework operates as a continuous cycle. NIST 800-53 RA-3 (Risk Assessment) makes it clear that risk assessments can occur at any RMF stage, including preparation, categorization, control selection, implementation, assessment, authorization, and monitoring.
Instead of being limited to Step 2, risk assessment continues throughout the entire system development lifecycle. Monitoring results may trigger re-categorization, assessment findings may require new controls, and authorization decisions may be revisited as risks change. The RMF’s greatest strength is that it provides a continuous feedback loop where controls are regularly evaluated and adjusted as threats, vulnerabilities, and organizational conditions evolve.
NIST SP 800-53 Role Across RMF Steps
NIST 800-53 may appear limited to Step 3 (Select), but it continues to play a role throughout the rest of the RMF lifecycle. Once selected, NIST 800-53 controls are:
- Implemented during Step 4 (Implement)
- Assessed for effectiveness during Step 5 (Assess)
- Evaluated as part of the authorization decision during Step 6 (Authorize)
- Tracked and maintained during Step 7 (Monitor)
The table below shows how the control catalog interacts with each RMF step.
| RMF Step | Description | Role of NIST 800-53 |
| Step 1 – Prepare | Organizations define risk tolerance, assign roles, and establish policies and resources for risk management. | 800-53 controls are not directly applied yet. Teams identify which control baselines or overlays may apply based on mission and regulatory requirements. |
| Step 2 – Categorize | The system’s impact level is determined based on potential harm to confidentiality, integrity, and availability. | The categorization level determines which 800-53 control baseline (Low, Moderate, High) applies in the next step. |
| Step 3 – Select | Security and privacy controls are chosen to address identified risks. | Organizations select controls from the NIST 800-53 catalog, starting with a baseline from NIST 800-53B and tailoring it based on risk assessment results. |
| Step 4 – Implement | Selected controls are deployed within system architecture, processes, and policies. | 800-53 control requirements are implemented through technical configurations, procedures, and security safeguards. |
| Step 5 – Assess | Assessors evaluate whether controls are implemented correctly and operating effectively. | Each selected 800-53 control is tested and validated against its requirements and assessment procedures. |
| Step 6 – Authorize | The Authorizing Official reviews risk information and decides whether the system may operate. | Assessment results for 800-53 controls inform the authorization decision and determine residual risk. |
| Step 7 – Monitor | Security posture is continuously tracked as the system operates and changes. | 800-53 controls are continuously monitored, reassessed, and updated as threats, vulnerabilities, or configurations change. |
For a complete breakdown of the NIST SP 800-53 control catalog, see NIST 800-53: The Complete Guide to Security and Privacy Controls.
How to Use the RMF with NIST 800-53
The NIST 800-37 RMF organizes risk management into seven sequential steps, with NIST 800-53 controls directly involved in at least four of them. Here’s how the process works and where specific 800-53 controls come into play.
Step 1: Prepare
The Prepare step sets the foundation. Organizations define their risk tolerance, assign roles and responsibilities, and establish the policies and resources needed to support risk management.
NIST 800-53 controls do not play a direct role yet. Teams plan how controls will be used later, identifying which baselines or overlays may apply based on mission, regulatory requirements, and system type.
Step 2: Categorize
The Categorize step assigns the system an impact level (Low, Moderate, or High) based on FIPS 199 guidance. This determines which NIST SP 800-53 control baseline applies.
The RA-2 (Security Categorization) control governs this activity. It requires organizations to:
- Categorize the system and the information it processes, stores, and transmits
- Document the categorization results and supporting rationale in the System Security Plan (SSP)
- Obtain review and approval of the categorization from the Authorizing Official (AO) or designated representative
System categorization should be revisited over time to ensure the impact level remains accurate as the system changes.
Getting this right is critical. Over-categorization wastes resources on unnecessary controls, while under-categorization leaves gaps that expose the system to risk.
Step 3: Select
Organizations choose security controls from NIST SP 800-53 based on the system’s impact level. The 800-53 catalog organizes its 1,196 controls into 20 control families, including access control (AC), system and communications protection (SC), incident response (IR), supply chain risk management (SR), and others. Together, they cover the policies, technical safeguards, and operational procedures needed to protect an information system.
Each impact level maps to a predefined control baseline:
- Low Baseline: 149 controls
- Moderate Baseline: 287 controls
- High Baseline: 370 controls
Organizations start with the matching baseline, then tailor it. Tailoring may include:
- Scoping controls based on system architecture, technologies, and operating environment
- Applying compensating controls when a standard control cannot be implemented as written
- Adding supplemental controls identified through risk assessment or organizational requirements
The final tailored baseline becomes the full set of controls to implement for the system.
Step 4: Implement
Organizations deploy the selected controls within the system and its operating environment. Teams implement each control from the tailored baseline and configure it to operate within the system. They also document how each control is implemented, with documentation feeding directly into assessment in the next step.
Step 5: Assess
Organizations evaluate whether deployed controls work as intended: correctly implemented, operating properly, and producing expected security outcomes.
This aligns with CA-2 (Control Assessments) in NIST SP 800-53, which requires organizations to:
- Select qualified assessors with the knowledge and experience to evaluate the system’s controls
- Develop a control assessment plan describing what will be assessed, how the assessment will be carried out, and the criteria used to evaluate the controls
- Assess the controls to determine whether they are implemented correctly, operating as intended, and meeting security and privacy requirements
- Produce a control assessment report that records findings and observations
Assessments follow procedures defined in NIST SP 800-53A to identify weaknesses, confirm whether requirements are met, and provide the evidence needed for authorization decisions.
Step 6: Authorize
The Authorizing Official (AO) reviews the system’s security posture and makes a risk-based decision about whether it can operate. If risk is acceptable, the AO grants an Authority to Operate (ATO).
This aligns with CA-6 (Authorization) in NIST SP 800-53, which requires the organization to:
- Assign a senior official as the AO responsible for authorizing the system and any common controls available for inheritance
- Authorize the system to operate after accepting the use of any inherited common controls
- Update authorizations at an organization-defined frequency or when significant changes occur
Authorization is a formal management decision — senior leadership explicitly accepts the remaining risk of operating the system. The decision relies on assessment results from Step 5, the system’s residual risk profile, and the Plan of Action and Milestones (POA&M) documented under CA-5.
Step 7: Monitor
Organizations track control performance over time, observe system activity, and respond to new risks as they appear.
This aligns with CA-7 (Continuous Monitoring) in NIST SP 800-53, which requires organizations to develop a system-level continuous monitoring strategy. Key activities include:
- Establishing system-level metrics to monitor control performance
- Defining assessment frequency for controls
- Performing ongoing control assessments
- Analyzing monitoring results to identify risks or weaknesses
- Taking corrective action when issues are discovered
- Reporting system security status to appropriate stakeholders
RA-5 (Vulnerability Monitoring and Scanning) also plays a key role — requiring regular vulnerability scans and remediation of discovered weaknesses.
Strong monitoring programs detect problems early and maintain risk awareness. Over time, they can reduce the need for full reauthorization by providing ongoing evidence that risks remain acceptable.
How to Simplify RMF Implementation
Implementing the RMF with NIST 800-53 requires organizations to assess controls, track risks, manage assets and vendors, and produce audit-ready documentation, often across multiple departments and systems.
Isora GRC by SaltyCloud is the collaborative GRC Assessment Platform built for exactly this kind of work. With Isora, you can:
Assess NIST 800-53 controls across your organization. Isora includes prebuilt questionnaires aligned to NIST 800-53 and other major frameworks. Security teams can launch assessments across departments, track completion in real time, and collect evidence.
Maintain a live risk register connected to findings. Assessment results feed directly into Isora’s risk register, where teams can assign owners, document remediation plans, and track risk over time. This keeps risk data current and connected — not buried in spreadsheets — and supports continuous monitoring.
Track assets and vendors in one connected workspace. Isora links assessments, risks, and exceptions to a unified inventory of assets, vendors, and applications. This connected structure gives security teams the visibility they need for accurate system categorization and scoping during control selection.
Produce audit-ready reports for authorization decisions. Isora generates scorecards, risk matrices, and exportable reports that roll up assessment results into clear outputs. These reports provide the documentation Authorizing Officials need to make informed risk decisions.
Deploy fast and scale with your program. Unlike enterprise GRC suites that take months to implement, Isora deploys quickly and is designed for adoption. As programs grow — adding frameworks, vendors, or organizational units — Isora scales without losing structure.
Streamline security GRC workflows with Isora GRC.
RMF & NIST 800-53 FAQs
What is the relationship between RMF and NIST 800-53?
The NIST SP 800-37 Risk Management Framework (RMF) defines the process for managing security risk. NIST 800-53 provides the security and privacy controls used within that process. The RMF defines when and why security activities happen. NIST 800-53 defines the safeguards organizations implement to carry them out.
During Step 3 (Select), organizations choose controls from the NIST 800-53 catalog based on impact level and risk assessment results. Those controls are then implemented, assessed, authorized, and monitored throughout the RMF lifecycle.
What are the 7 steps of the RMF?
The 7 RMF steps are: (1) Prepare, (2) Categorize, (3) Select, (4) Implement, (5) Assess, (6) Authorize, and (7) Monitor. NIST 800-53 controls are selected in Step 3, implemented in Step 4, assessed in Step 5, and monitored in Step 7.
What happens during the RMF Select step?
Organizations choose security and privacy controls from the NIST 800-53 catalog based on impact level. They start with a predefined baseline — Low (149 controls), Moderate (287 controls), or High (370 controls) — then tailor it based on risk assessment results, organizational requirements, and any applicable baselines such as FedRAMP for federal cloud systems.
Is the RMF only for federal agencies?
No. The RMF was developed for U.S. federal agencies and is mandatory under FISMA, but its structured, risk-based approach has driven broad adoption. Universities, healthcare providers, critical infrastructure operators, and private companies also use the RMF to manage cybersecurity risk.
What is the difference between NIST 800-37 and NIST 800-53?
NIST SP 800-37 defines the Risk Management Framework — a seven-step process for managing security risk. NIST SP 800-53 provides a catalog of 1,196 security and privacy controls organized into 20 families used within that framework.
NIST SP 800-37 defines how organizations manage risk. NIST SP 800-53 defines what controls they implement.
How does the CA control family relate to the RMF?
The CA (Assessment, Authorization, and Monitoring) control family aligns directly with the later RMF steps. CA-2 defines control assessment requirements (Step 5). CA-6 defines the authorization process (Step 6). CA-7 establishes continuous monitoring requirements (Step 7). The CA family is the RMF lifecycle expressed as implementable controls.
What other NIST publications support the RMF?
NIST SP 800-53 provides the control catalog. NIST SP 800-53A defines how controls are assessed. NIST SP 800-30explains risk assessment methodology.
NIST SP 800-60 provides system categorization guidance. NIST SP 800-137 supports continuous monitoring programs. NIST SP 800-39 covers organizational-level risk management. These publications work together as a system.
Conclusion
The RMF defines the process for managing risk. NIST 800-53 defines the security controls used within that process. Step 3 (Select) is where they connect most directly, but NIST 800-53 plays a role throughout the lifecycle — controls are selected, implemented, assessed, authorized, and monitored.
The CA control family illustrates this clearly. CA-2 (Control Assessments), CA-6 (Authorization), and CA-7 (Continuous Monitoring) correspond directly to the Assess, Authorize, and Monitor steps of the RMF.
Understanding how these pieces fit together turns the RMF from a compliance exercise into a practical approach to managing cybersecurity risk — where control selection is risk-informed, assessment is ongoing, and authorization decisions evolve as risks change.
Simplify RMF implementation with Isora GRC.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
