NIST Risk Management Framework: The Seven Steps to Continuous Security Authorisation

The NIST Risk Management Framework (RMF) is the U.S. federal government's systematic approach to managing information security risk for federal information systems. Established under FISMA and documented in NIST Special Publication 800-37, the RMF provides a seven-step lifecycle process for selecting, implementing, assessing, and monitoring security and privacy controls. Understanding and implementing the RMF is essential for federal agencies, government contractors, and any organisation pursuing FedRAMP authorisation or FISMA compliance.

The Seven Steps of the NIST RMF

Step 1 — Prepare: Establishing the context for risk management before the rest of the RMF steps begin. Identifying roles and responsibilities, establishing the risk management strategy, identifying common controls, and conducting organisation and system-level risk assessments. This step, added in RMF Revision 2, recognises that preparation is foundational to the efficiency of subsequent steps.

Step 2 — Categorise: Determining the impact level of the information system using FIPS Publication 199 and NIST SP 800-60. Systems are categorised as Low, Moderate, or High impact based on the potential impact of a security breach on confidentiality, integrity, and availability. Categorisation drives the selection of security controls in Step 3.

Step 3 — Select: Selecting the security and privacy controls from NIST SP 800-53 appropriate to the system's impact level. The SP 800-53 control baselines for Low, Moderate, and High impact systems provide starting points that are then tailored based on system-specific requirements.

Step 4 — Implement: Implementing the selected security controls in the information system and documenting the implementation in the System Security Plan (SSP). Technical, administrative, and physical controls are configured and deployed.

Step 5 — Assess: An independent assessor evaluates whether the implemented controls are in place, operating as intended, and producing the desired outcome. The assessment produces a Security Assessment Report (SAR) documenting findings.

Step 6 — Authorise: The Authorising Official (AO) reviews the risk posture — SSP, SAR, and Plan of Action & Milestones (POA&M) — and makes a risk-based decision to grant, deny, or conditionally grant an Authorization to Operate (ATO).

Step 7 — Monitor: Continuously monitoring the security controls, documenting changes, conducting ongoing assessments, and reporting security status to the AO. The ATO is maintained through continuous monitoring rather than point-in-time assessments.

The System Security Plan: The Heart of the RMF

The System Security Plan (SSP) is the primary documentation artifact of the RMF. It comprehensively documents:

• System description, boundary, and operating environment
• System categorisation rationale
• Security control selection and tailoring decisions
• Implementation status of each selected control (implemented, partially implemented, planned, not applicable)
• Implementation description for each control — what specific technology, process, or procedure implements the control
• Responsible roles for each control
• Common controls inherited from organisation-level programs

The SSP becomes the authoritative reference for the system's security posture and is the primary document reviewed during assessment and authorisation.

Continuous Monitoring: Maintaining Your ATO

An ATO is not a one-time achievement — it must be maintained through continuous monitoring. The continuous monitoring strategy includes:

Monthly: Vulnerability scanning of in-scope systems, review of security alerts and incidents, patch management status reporting.

Quarterly: Review of selected security controls, POA&M updates with closure evidence for completed items, assessment of any significant system changes.

Annually: Full annual security assessment of a subset of controls, updated risk assessment, annual security awareness training completion, security plan review and update.

Event-driven: Assessment of any significant change (new functionality, new data types, infrastructure changes, personnel changes in key security roles) to determine whether the ATO remains valid.

RMF for Government Contractors

Government contractors handling federal information must comply with FISMA requirements through the RMF. Key implications:

CMMC alignment: The Cybersecurity Maturity Model Certification (CMMC) for DoD contractors incorporates NIST SP 800-171 controls that are a subset of SP 800-53 Moderate baseline controls. RMF experience directly prepares contractors for CMMC compliance.

FedRAMP for cloud: Cloud service providers seeking to provide services to federal agencies must achieve FedRAMP Authority to Operate — which uses the RMF process applied to cloud systems using FedRAMP-specific control baselines and assessment requirements.

NIST SP 800-171 for CUI: Contractors handling Controlled Unclassified Information (CUI) must implement NIST SP 800-171 controls — 110 requirements derived from the SP 800-53 Moderate baseline.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

• Gap Assessment Report — prioritised findings with effort estimates and risk ratings
• Compliance Roadmap — milestone-based plan from current state to certification or attestation
• Risk Register — organisational risk register with treatment plans
• Policy Pack — all required policies authored, reviewed, and approved
• Technical Control Implementation Evidence — configurations, screenshots, and audit trails
• Internal Audit Report — independent assessment of control effectiveness
• Audit Evidence Repository — organised, auditor-ready evidence collection
• Executive Summary Presentation — board and leadership-ready compliance status
• Remediation Tracker — structured tracking of open findings and closure evidence
• Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

• Email: grc@savadub.com
• Phone: +234 816 734 2201
• WhatsApp: +234 903 234 8435
• Website: www.savadub.com