The NIST Risk Management Framework — codified in NIST SP 800-37 — was built for federal information systems and the structured authorisation processes that come with them. Non-federal organisations often dismiss it as too heavyweight, too focused on federal artefacts, and too process-intensive for their context. They are partly right and substantially wrong. The seven-step structure of the RMF is one of the most rigorous risk management frameworks available, and it scales down to non-federal contexts more cleanly than its reputation suggests.
The Seven Steps of the RMF
Prepare — establish the risk management context, organisational risk tolerance, and governance. Categorise — determine the impact level of the information and systems in scope. Select — choose appropriate controls based on the categorisation and risk assessment. Implement — deploy the selected controls. Assess — evaluate whether the controls are operating effectively. Authorize — leadership accepts the risk based on the assessment evidence. Monitor — continuously evaluate the effectiveness of the controls and the changes in risk. Each step has substantive content; smaller organisations can scale the artefacts without losing the structure.
Why the Structure Holds Up Outside Federal Use
The underlying logic of the RMF — categorise impact, select controls proportional to impact, implement, verify operation, authorise based on residual risk, continuously monitor — applies to any organisation that processes information of varying sensitivity on systems of varying criticality. The federal-specific artefacts (System Security Plan in a particular template, formal authorisation by an Authorising Official) are the visible part. The reasoning structure underneath is the durable part, and it transfers cleanly to non-federal contexts.
Categorisation: The Step That Underpins Everything
Federal RMF uses FIPS 199 categorisation — confidentiality, integrity, and availability impact each rated low/moderate/high. Non-federal organisations can adopt the same impact-rating logic with different specific labels. The point is rating each information type and each system on a defensible scale, then using those ratings to select control rigour proportional to impact. Without this step, control selection becomes uncalibrated and the programme either over-controls low-risk systems or under-controls high-risk ones.
A common adaptation that works: a non-federal organisation uses the impact-rating logic, scales control selection from NIST 800-53 with a profile appropriate to their risk, and produces an internal authorisation document signed by senior leadership. The authorisation is not a federal one, but it serves the same function — leadership has reviewed the evidence and accepted the residual risk explicitly. This is materially different from a security programme where leadership has implicitly accepted whatever risks remain.
Continuous Monitoring: Where Most Programmes Underinvest
The Monitor step is what makes the RMF a continuous discipline rather than a point-in-time exercise. Continuous monitoring includes ongoing control assessment, change detection, vulnerability management, and regular re-authorisation when material changes occur. Programmes that perform well during initial authorisation and underinvest in monitoring drift away from the assessed risk profile within months. The monitoring discipline is not optional in the RMF model; it is what keeps the assessment relevant.
How to Adopt Pragmatically
- Adopt the seven-step structure but scale the artefact depth to your organisational size
- Use NIST 800-53 as the control catalogue with a profile appropriate to your risk
- Build categorisation into your CMDB or asset inventory rather than a parallel artefact
- Define authorising officials internally — leadership owns the residual risk acceptance explicitly
- Integrate continuous monitoring with the security operations you already run
- Use the SSP-equivalent artefact as a living document, not a once-a-year exercise
When the RMF Is the Right Choice
The RMF is most clearly valuable for organisations that process information of varying sensitivity on systems of varying criticality, where impact-proportional risk management produces meaningfully better outcomes than uniform controls. It is appropriate for federal contractors who need to demonstrate alignment, regulated industries where comparable rigour is expected, and security-mature organisations seeking a framework that integrates with NIST 800-53 and 800-30. It is overkill for very small organisations whose entire IT estate is a single SaaS environment with no systems they operate themselves.